The Ruby on Rails Weblog reports two vulnerabilities in the in_place_editing plugin:
- The actions generated by in_place_edit_for perform no verification of the request method, allowing a hostile website to bypass built in CSRF protection.
- The the input controls generated by in_place_editor_field perform no output sanitization, leaving the application vulnerable to XSS attacks.
Users of this plugin are advised to update the plugin from git://github.com/rails/in_place_editing.git . The original post provides a zip file and a patch if you’re unable to use git.
