Most Rubyists are aware of variable length arguments in a method definition. For example:
Just as a refresher, the * operator, commonly known as a “splat,” collects the arguments into an array object. So in the example above, the variable *names is an array object, which means it can be used just like any other array:
What blew my mind recently was stumbling across Ruby code where the name for the “splat” was missing. I assure you that this is valid Ruby code:
RubyGems 1.8.10 was released on August 25th. Typically it is not vital to upgrade RubyGems immediately, but 1.8.10 is not a typical release. It is a crucial update because it fixes a long-standing code injection flaw. If you have not updated you should do so as soon as possible.
For details on the flaw check out the proof of concept rubygems-pwn.
Over the last year, several developers have written Rails plugins that attempt prevent cross-site scripting (XSS) vulnerabilities by sanitizing data or preventing the display of data that has not been explicitly sanitized. The differences in their approaches are interesting, and they highlight how far we still have to go before we have a robust, flexible, and generally agreed-upon approach to ensuring our web applications are free of XSS vulnerabilities.
