Rails 3.0.11 has been released. This is a patch-level release containing bug fixes and an important security fix.
There is a vulnerability in the translate helper method which may allow an attacker to insert arbitrary code into a page.
Please see the rubyonrails-security posting and the changelog item below, for more details.
Fix XSS security vulnerability in the
translate helper method. When using interpolation
in combination with HTML-safe translations, the interpolated input would not get HTML
escaped. GH 3664
translate('foo_html', :something => '<script>') # => "...<script>..."
translate('foo_html', :something => '<script>') # => "...&lt;script&gt;..."
Implement a workaround for a bug in ruby-1.9.3p0 where an error would be raised while attempting to convert a template from one encoding to another.
Please see http://redmine.ruby-lang.org/issues/5564 for details of the bug.
The workaround is to load all conversions into memory ahead of time, and will only happen if the ruby version is exactly 1.9.3p0. The hope is obviously that the underlying problem will be resolved in the next patchlevel release of 1.9.3.
Fix assert_select_email to work on multipart and non-multipart emails as the method stopped working correctly in Rails 3.x due to changes in the new mail gem.
Fix url_for when passed a hash to prevent additional options (eg. :host, :protocol) from being added to the hash after calling it.
Exceptions from database adapters should not lose their backtrace.
Backport “ActiveRecord::Persistence#touch should not use default_scope” (GH #1519)
Psych errors with poor yaml formatting are proxied. Fixes GH #2645 and GH #2731
Fix ActiveRecord#exists? when passsed a nil value
As ever, you can see a full list of commits between the versions on Github.