Ruby on Rails on Thursday issued an advisory that said the flaw lies "in the escaping code for the [framework's] 'form helpers'...Attackers who can inject deliberately malformed Unicode strings into the form helpers can defeat the escaping checks and inject arbitrary HTML."
Versions 2.0 and later are impacted.
Researcher Brian Mastenbrook, who discovered the bug, said in a blog post that the issue affects at least Twitter and business web applications produced by 37signals, which include Basecamp, Highrise, Backpack and Campfire. He decided to conduct tests on those applications after noticing a vulnerability in the Unicode character encoding standard a few weeks ago.
Mastenbrook said Twitter fixed the problem itself, but 37signals referred him, after repeated requests, to Ruby on Rails to solve the issue.
Representatives at Twitter and 37signals could not immediately be reached for comment on Friday.
"Web application security is still an immature field, and many of the layers are sufficiently poorly designed that issues like this will pop up for a good long while," Mastenbrook wrote. "Just like buffer overflows have been a weak spot for C [code] security long as the internet has been around, escaping issues will continue to be a weak spot for web security for as long as we're afflicted with this particular architecture."
Mastenbrook suggested all browsers should contain cross-site scripting filtering functionality, as is present, at least in a limited form, in Internet Explorer 8.