Quoting from an upcoming Ruby on Rails security advisory:
XSS Vulnerability in simple_format helper
There is a vulnerability in the simple_format helper in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2013-6416.
Versions Affected: 4.0.0 & 4.0.1
Not affected: Versions prior to 4.0
Fixed Versions: 4.0.2
The simple_format helper converts user supplied text into html text which is intended to be safe for display. A change made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly. As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack.
All users running an affected release and passing user-controlled html attributes to simple_format should either upgrade or use one of the work arounds immediately.
The 4.0.2 release is available at the normal locations.
Thanks to Kevin Reintjes for reporting the vulnerability to us and helping us work on a fix.
Created attachment 831793 [details]
Upstream patch for 4.0.x
Fixed upstream in 4.0.2:
This issue only affected Ruby on Rails 4.0, which is not shipped as part of any Red Hat product.
Not vulnerable. This issue did not affect the versions of rubygem-actionpack as shipped with various Red Hat products.