Steve Conover's blog
Bundler 0.8.1 is out. There have been some significant changes around how the vendor directory is organized, so you'll want to rm -rf vendor/gems and re-run bundle.
A team tried swapping in Sqlite to see if it made any difference in test suite runtime. It was actually slightly slower than MySql. In-memory Sqlite didn't help either.
A gotcha when using cap and bundler:
"If deploy.rb does a require 'auto_tagger' and the auto_tagger gem is in the app's bundle but not the system, running the system cap won't find the auto_tagger gem. Using bin/cap runs the bundled cap and thus has access to all the gems in the bundle."
XSS #1: There's a huge cross-site scripting hole if you use the meta refresh tag...it has a "data" attribute into which you can insert arbitrary javascript.
XSS #2: Cross-site scripting resources, from an internal mailing list:
"I've gained a new appreciation for the importance of carefully thinking through security and escaping in RoR there's more than just h()'ing all your user entered data."
XSS vulnerabilities - http://ha.ckers.org/xss.html.
Very useful catalog of different XSS vectors. Includes some utilities to base64-, URL- and hex- encode attacks so you can test out your apps.General OWASP wiki - http://www.owasp.org/index.php/Main_Page. Lots of useful data information here. OWASP is a nonprofit group charted to improve the security of webapps in general.
Security Guide for RoR - http://www.lulu.com/product/download/owasp-ruby-on-rails-security-guide/4489819 general guidelines/things to think about for securing RoR apps.
Loofah - http://github.com/flavorjones/loofah is supported by a fellow Pivot and provides fast and good sanitization built on Nokogiri, albeit slightly slower on short strings than brittle regular expressions. It's in production at several companies.
"Loofah excels at HTML sanitization (XSS prevention). It includes some nice HTML sanitizers, which are based on HTML5lib’s whitelist, so it most likely won’t make your codes less secure."
Happy New Year