Ruby on Rails 2.3.7 Released

Posted by Jeremy Kemper May 24, 2010 @ 08:20 AM

With the 2.3.6 release hot out of the oven, Nathan Weizenbaum began updating HAML to support it. He uncovered a couple of bugs in the HTML-safety changes backported from Rails 3, so we’re cutting a 2.3.7 release to fix them.

If you use the rails_xss plugin for automatic HTML escaping, you should upgrade to Rails 2.3.7 and the latest rails_xss plugin.

If you don’t use the rails_xss plugin yet, now’s the time to start. It’s baked in to Rails 3.

Update: fixing compatibility with the rails_xss plugin broke HTML-safety for apps that don’t use rails_xss. We’re sorry, all: HTML-safety is meant to be opt-in! The fix is available now in 2.3.8.pre1 and will be released shortly.

Posted in Releases | 40 comments

Comments

Leave a response

  1. Hendra Nicholas on 24 May 08:32:

    Prikittiiiw…! This new release So close from rails 2.3.6. Good job and thanks to all contributor.

  2. Ariel Akilie on 24 May 08:34:

    Mantab gan..!

  3. sesharim on 24 May 08:38:

    Ну вы писец! :(

  4. AlekSi on 24 May 09:13:

    Thanks for fast fix.

  5. Michael on 24 May 09:15:

    I don’t want to use xss protected strings. Is there an Option to opt out or do i Need to monkeypatch Some classes? Thanks in Advance.

  6. ste on 24 May 09:33:

    It looks like 2.3.7+rails_xss breaks will_paginate’s output. I’ve opened an issue on GitHub: http://github.com/mislav/will_paginate/issues/50

  7. Nathan Weizenbaum on 24 May 09:34:

    Michael: by default on Rails 2.3.7 strings are not XSS-protected. To use XSS-protected strings, you need to opt in by using the rails_xss plugin.

  8. yura on 24 May 09:42:

    epic lol

  9. Rasidee on 24 May 10:41:

    It appears that Rails 2.3.7 change something in form_remote_tag helper, escaping all the ”<” and ”>” tags, breaking my project.

  10. Matthias Köntopf on 24 May 10:54:

    I use the helper “content_for”. After the update to rails 2.3.7 the

  11. Matthias Köntopf on 24 May 10:55:

    I use the helper “content_for”. After the update to rails 2.3.7 the script tag in this block is escaped.

  12. Toño on 24 May 10:55:

    uhm…

    2.3.5 -> 2.3.6 = months 2.3.6 -> 2.3.7 = hours

    I’m using rails since version 1 and I know that this kind of things happens, but is really hard to explain to new people those weird release cycles.

    maybe it’s time to add another number for patches and fixes (2.3.6.1).

    Anyway, thanks to the community for this release!

  13. Uģis Ozols on 24 May 10:57:

    In form_for it’s escaping ”<” and ”>” too… Any solutions?

  14. Nicolas Blanco on 24 May 11:11:

    I think that this kind of problems may discredit the work of the Rails team.

    I mean, releasing a new minor update after several months and releasing an urgent patch one day later…

    I hope that the Rails team will take actions to avoid this in the future : for example, releasing at least ONE release candidate even for minor releases…

    Nicolas

  15. Sebastian Deutsch on 24 May 11:28:

    The rails ecosystem has become so big that such things just happen. And I’m glad that the team does those fixes immediately rather than insisting on release cycles.

  16. Michael on 24 May 11:30:

    Nathan: Like Rasidee, all the Output from various helpers is escaped. For example link_to escapes the Text.

  17. Rasidee on 24 May 11:54:

    Ok guys, found the solution. Actually you must use the rails_xss plug-ins or else, need to deal with the problem.

    Yes, all link_to and link_to_remote will be escaped by default (after the plug-ins install). So need to use “raw” helper or mark it as html_safe!

    Eg:

    link_to “TEST”.html_safe!

  18. nil on 24 May 12:54:

    What’s the simplest way to make the form_tag or link_to works like 2.3.5? The escaped ”<” and ”>” make me sad:(

  19. Trung on 24 May 13:50:

    Sao bản 2.3.7 ra lò nhanh vậy 0_0”

  20. http://rubynarails.com on 24 May 13:55:

    This morning I upgraded to rails 2.3.6. Then I had to upgrade haml to 3.0.5, because it was broken.

    Now I have to upgrade to rails 2.3.7.html_safe!

  21. Shocked Railtie on 24 May 16:09:

    I thought rails is covered by tests…so that such grave bugs do not happen?!

  22. Srijith on 24 May 16:21:

    Great Job.. Keep going..

  23. Francois on 24 May 16:42:

    thanks for the quick fix.

  24. DGM on 24 May 17:33:

    I had rails_xss and erubis running in 2.3.5, and upon upgrading to 2.3.7, my local machine works, but the test server has an error:

    ActionView::TemplateError (undefined method `html_safe!’ for NoMethodError) in /usr/lib/ruby/gems/1.8/gems/actionpack-2.3.7/lib/action_controller/templates/rescues/template_error.erb:

  25. Jeremy Kemper on 24 May 19:26:

    DGM, you need to upgrade rails_xss as well. Install the latest plugin from http://github.com/rails/rails_xss

  26. Eric Litwin on 24 May 20:25:

    DGM,

    To install the correct version, run:

    ruby script/plugin install git://github.com/rails/rails_xss.git

    The instructions on the rails_xss GitHub page incorrectly say to install from the NZKoz repo instead of the rails fork.

  27. Michael on 24 May 20:32:

    To me, this is totally broken.

    The “protection” break so many apps, it’s hilarious.

    And as far as i can see, there’s no option to opt out.

    Every single helper is broken.

    Please, present an option to opt out.

  28. poopsy on 24 May 20:40:

    Here comes the fix for the fix that hopefully fixes the escaping:

    http://github.com/rails/rails/commit/c66013e2c5dc77e9bfa06111fb8841b9b0e41ceb

    2.3.8 tomorrow?

  29. Игорь on 24 May 20:42:

    подожду еще пару дней перед обновлением …. :)

  30. DGM on 24 May 20:42:

    Thanks Eric, you were right. Now to get will_paginate fixed…

  31. Michael on 24 May 20:43:

    Thanks poopsy… I’m looking forward to 2.3.8 :)

  32. Eric Litwin on 24 May 20:52:

    Poopsy,

    Thanks for the link – I applied that patch against a project without the rails_xss plugin installed and the application passed all my tests this time.

    However, I’m inclined to install the plugin as part of upgrading to 2.3.7/8 to help with the migration to 3.0.

  33. dams@gmail.com on 24 May 20:53:

    pekwan gan!! . indonesian love this update :)

  34. Jeremy Kemper on 24 May 21:20:

    Michael, it’s a bug when running without the rails_xss plugin. We’ll have a fix released shortly.

  35. NS on 24 May 22:17:

    Since Jose Valim is on the team, I trust that he knows this already, that Rails-Footnotes is broken with, so far, 2.3.6. I haven’t tested it on 2.3.7. But I submitted an issue to the github repo of rails-footnotes

  36. Tuấn on 25 May 01:02:

    Kiểu này chắc update khùng luôn :( Không biết sắp đến còn có 2.3.9 nữa hay không..

  37. Nariko on 25 May 01:04:

    ありがとう

  38. S. M. Sohan on 25 May 03:15:

    Your post has been linked at the DrinkRails blog as one of the top ruby on rails blogs of the day.

  39. Jerry on 25 May 11:35:

    Good job.

  40. oyunlar on 19 Jun 00:51:

    What’s the simplest way to make the form_tag or link_to works like 2.3.5? The escaped ”<”>Oyunlar ”>” make me sad:(

Ruby on Rails was created by David Heinemeier Hansson, a partner at 37signals,
then extended and improved by a core team of committers and hundreds of open-source contributors.

Rails is released under the MIT license. Ruby under the Ruby License.

"Rails", "Ruby on Rails", and the Rails logo are trademarks of David Heinemeier Hansson. All rights reserved.

Sponsored by

 37signals