Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 6 Apr 2011 13:47:53 -0400 (EDT)
From: Josh Bressers <>
Cc: coley <>
Subject: Re: CVE for ruby on rails XSS fixes

----- Original Message -----
> Hi,
> Can someone assign a CVE for the XSS issue described in

Here is the changelog text:

*Rails 3.0.6 (April 5, 2011)

* Fixed XSS vulnerability in `auto_link`.  `auto_link` no longer marks
  input as html safe.  Please make sure that calls to auto_link() are
  wrapped in a sanitize(), or a raw() depending on the type of input passed
  to auto_link().
  For example:

    <%= sanitize(auto_link(some_user_input)) %>

  Thanks to Torben Schulz for reporting this.  The fix can be found here:

Use CVE-2011-1497



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.