Rails 3.0.11 has been released

Ruby on Rails: Compress the complexity of modern web apps

Safer to_i coercion, custom to_fs formats, and more! This Week in Rails: May 16, 2026 This Week in Rails: May 8, 2026 This Week in Rails: May 1, 2026 Active Record gets better every week Great big Rails World 2026 update: CFP, Corporate Support tickets, workshops Query command for database queries and more Explicit query: and body: kwargs for integration tests and more! Speedup ActiveRecord::LogSubscriber#sql_color and more! This Week in Rails: March 27, 2026 Rails Versions 8.0.5 and 8.1.3 have been released! Rails Versions 7.2.3.1, 8.0.4.1, and 8.1.2.1 have been released! This Week in Rails: March 20, 2026 Validate URI scheme in Action Text and more This Week in Rails: March 6, 2026 Planning Center is the newest Rails Foundation Contributing member Action Text gets Markdown conversion, editor links in devcontainers, and more! BARRA seeks Rails developer Joe Agliozzo is looking for a Rails developer The rise of lighttpd as the alternative web server When longer is better and more is more Snowdevil: First e-tailer on Rails Natural selection for frameworks in Ruby vs Java Address book tutorial in Portuguese Becoming a better programmer with Rails 10 Things Every Java Programmer Should Know About Ruby Really Getting Started in Rails Off the Treadmill, Onto the Rails Rails 0.9.5: A world of fixes and tweaks Rich clients with Rails and XUL Pedrosa on Rails vs WebWork: 'Language DOES matter' 'Ruby on Rails is unbelievably good' Celebrating six months anniversary! Speeding up CGI access to Gem Rails CD Baby leaves PHP behind for Ruby on Rails "I think Ruby on Rails is way over hyped" Programmer needed for JSP to Rails conversion Beyond the 10,000th gem install of Rails 'That application is so stupid' Matz takes note of Ta-da and Rails Rails tutorial on O'Reilly's ONLamp Welcome Slashdotters! Ta-da goes international with UTF-8 Make your Ta-da list today Rails 0.9.4.1: Cleaning up the mess Rails 0.9.4: Caching, filters, SQLite3... An unusual high presence of Macs Having problems running tests under 1.8.2? It\'s all about the applications But what does Rails go web services with XML-RPC prototype Rails runs through XP Cincinnati RedHanded out-evangelizes the evangelizer Rails on Lighttpd with FastCGI Have a codefest and collect cash from RubyCentral Jamis Buck is working on Basecamp S5 Presents competes with SoapBX 3,000 people are doing 10,804 things... Using the Rails to impress potential employers Brian discovers the default logging goodness SoapBX: Presentations powered by S5, Textile, Rails Road Map: The rails leading to 1.0 Tracks: A Getting Things Done implementation Nicholas presents the Directors Rails 0.9.3: Optimistic locking, dynamic finders, 1.8.2 Ruby on the German Rails 43things in 5,204 lines of Ruby on Rails Watch for huge requests on default FCGI How the redesign of the website came to be Are you watching the health of your software? "Some amazing web apps appear on Ruby on Rails" Learning Ruby on Rails with 43things The Robot Co-op takes 43things.com live! Giving up on Java for lack of love Setting up EliteJournal on TextDrive without a vhost Celebrating 219 applied patches since 0.7 Escaping Java but not its thinking "Simple design that even my grandma can understand" Rails logo remixed by Olivier Hericord Rake 0.4.14 includes fix for Ruby 1.8.2 Splitting off the research patches Running rake tests with Ruby 1.8.2 Marten opens Epilog for Trac'ing Drew McLellan predicts Rails celebrates more than 10,000 downloads Variations on a railed theme Securing your Rails: Keep it secret, keep it safe Available for hire? Collaboa and EliteJournal joins the Trac Playing Active Records on MS SQLServer and DB2 Open sourcing the Rails logo Rails: Technology of the Year #1 Reacting to customer requests in real time Extracting missing content from wiki backups Ruby on Rails has its web presence overhauled 43 things makes The Seattle Times 5.gets David Heinemeier Hansson Ruby 1.8.2 finally sees the light of day Rails 0.9: Fast development, breakpoints, validations Rails 0.9.1: Small, but important bugfix for Action Pack

David Heinemeier Hansson · 2011-11-18 · via Ruby on Rails: Compress the complexity of modern web apps

Friday, November 18, 2011

Posted by jonleighton

Rails 3.0.11 has been released. This is a patch-level release containing bug fixes and an important security fix.

Possible XSS vulnerability in the translate helper method in Ruby on Rails

There is a vulnerability in the translate helper method which may allow an attacker to insert arbitrary code into a page.

Versions Affected: 3.0.0 and later, 2.3.X in combination with the rails_xss plugin
Not Affected: Pre-3.0.0 releases, without the rails_xss plugin, did no automatic XSS escaping, so are not considered vulnerable
Fixed Versions: 3.0.11, 3.1.2

Please see the rubyonrails-security posting and the changelog item below, for more details.

Changes

Action Mailer:

No changes

Action Pack:

Fix XSS security vulnerability in the translate helper method. When using interpolation in combination with HTML-safe translations, the interpolated input would not get HTML escaped. GH 3664

Before:
```
translate('foo_html', :something =&gt; '&lt;script&gt;') # =&gt; "...&lt;script&gt;..."
```
After:
```
 translate('foo_html', :something =&gt; '&lt;script&gt;') # =&gt; "...&amp;lt;script&amp;gt;..."
```
Sergey Nartimov
Implement a workaround for a bug in ruby-1.9.3p0 where an error would be raised while attempting to convert a template from one encoding to another.

Please see http://redmine.ruby-lang.org/issues/5564 for details of the bug.

The workaround is to load all conversions into memory ahead of time, and will only happen if the ruby version is exactly 1.9.3p0. The hope is obviously that the underlying problem will be resolved in the next patchlevel release of 1.9.3.
Fix assert_select_email to work on multipart and non-multipart emails as the method stopped working correctly in Rails 3.x due to changes in the new mail gem.
Fix url_for when passed a hash to prevent additional options (eg. :host, :protocol) from being added to the hash after calling it.

Active Model:

No changes

Active Record:

Exceptions from database adapters should not lose their backtrace.
Backport “ActiveRecord::Persistence#touch should not use default_scope” (GH #1519)
Psych errors with poor yaml formatting are proxied. Fixes GH #2645 and GH #2731
Fix ActiveRecord#exists? when passsed a nil value

Active Resource:

No changes

Active Support:

No changes

Railties:

Updated Prototype UJS to lastest version fixing multiples errors in IE [Guillermo Iguaran]

As ever, you can see a full list of commits between the versions on Github.

此内容由惯性聚合(RSS阅读器)自动聚合整理，仅供阅读参考。原文来自 — 版权归原作者所有。

推荐订阅源

Ruby on Rails: Compress the complexity of modern web apps

Friday, November 18, 2011

Posted by jonleighton

Possible XSS vulnerability in the translate helper method in Ruby on Rails

Changes