Rails 3 to add security enhancement

04.05.2009
Although developers of the Ruby on Rails Web framework will miss this week's target date for offering a preview release of Rails 3, the framework's founder will be touting planned capabilities, such as a major security enhancement, during a conference on Tuesday.

Rails 3, which is to feature a merger of with the Merb framework, will be fitted with protection against cross-site scripting attacks, said Rails creator David Heinemeier Hansson, in an interview on Monday afternoon. He will be presenting at the RailsConf 2009 event in Las Vegas. Cross-site scripting enables intruders to gain unauthorized access to an application by injecting pieces of JavaScript, but version 3 will protect against this.

Default settings in Rails 3 will only permit allowable JavaScript to execute, Hansson said. "You do not want a user to be able to execute JavaScript on your page," without proper authorization to do so, he explained.

"We'll have a function that allows you to insert this code if [you] actually do mean that this code should be executed," Hansson explained.

But a preview release of Rails 3, which several months ago had been eyed for availability at the conference, will not arrive. Hansson stressed that target date was more along the lines of wishful thinking.