Posts tagged "rails"

Keeping your Ruby on Rails app easy to update

The Rails 5 release candidate is out, bringing new improvements that will make your life as a developer easier. Probably you are excited to update your application to the new major Rails release, but you may have some concerns. It is normal, updating your application to fit the new version may bring an unknown number … »

The new HTML sanitizer in Rails 4.2

The article below was originally written by Kasper Timm Hansen (@kaspth on github & twitter) about his work during the Google Summer of Code 2013. Kasper and I worked a lot changing the underlying implementation of the sanitize helper to give Rails developers a more robust, faster and secure solution to sanitize user input. This … »

Bootstrap 3 support for Simple Form

We just released Simple Form 3.1.0.rc1 with support to Bootstrap 3. To make it possible, we leveled up the Wrapper API to make it more extensible and to allow developers to directly configure it instead of relying on global state. After such improvements, it was very easy to change the Simple Form configuration to work … »

3 features from Rails 4.1 that I’m excited about

Rails 4.1 was just released this week and I already had a great experience trying out the release candidates on my latest project, so I decided to write a bit about my favorites features on this release and some things I have learned by using them so far. 1) secrets.yml Placing your configuration in a … »

Devise 3.1: Now with more secure defaults

We are glad to announce that Devise 3.1.0.rc is out. On this version, we have focused on some security enhancements regarding our defaults and the deprecation of TokenAuthenticatable. This blog post explains the rationale behind those changes and how to upgrade. Devise 3.1.0.rc runs on both Rails 3.2 and Rails 4.0. There is a TL;DR … »

CSRF token fixation attacks in Devise

Devise has been reported to be vulnerable to CSRF token fixation attacks. The attack can only be exploited if the attacker can set the target session, either by subdomain cookies (similar to described here) or by fixation over the same Wi-Fi network. If the user knows the CSRF token, cross-site forgery requests can be made. … »