Several security changes have been made lately over the gem so I think it’s time to give you some more detailed information about the project status and create the release notes of every version (as I should have done since the very beginning… Shame on me!).
Before enter in the details I would like to thank the people that found and fix them in the first place.
0.0.7 Release Notes
mzsanford has added
callback sanitation methods to prevent XSS attacks.
Basically we are only allowing
callbacks to be valid JS function names and preventing JS code blocks to be used instead.
The main risk of let the
callback be a chunk of JS code is that the user may access/edit our cookies or create a whole page with our signature (eg: phishing forms).
0.0.6 Release Notes
amiel has fixed some bugs:
Content-Lengthwhen sending multibytes characters.
Content-Typecharset when requesting JSONP.
Content-Length was computed adding 1 byte for each character.
When sending multibyte characters this is not true so we ended up having a smaller
Content-Length => loosing some trailing characters.
It was solved by computing the lenght based on the bytesize of each character.
2) Since the original
Content-Type of the response is
application/json we are overwriting it with
Turn out that the
Content-Type may hold the type and the encoding, and we were not saving the encoding.
Now we are just replacing the
How about you?
Are ou having any problem with the gem ?
Is there any feature you would love to be included?