There is a vulnerability in the escaping code for the form helpers in Ruby on Rails. Attackers who can inject deliberately malformed unicode strings into the form helpers can defeat the escaping checks and inject arbitrary HTML.
The issue affects Ruby on Rails 2.0.0 and *all* subsequent versions.
Due to the way that most databases either don’t accept or actively cleanse malformed unicode strings this vulnerability is most likely to be exploited by non-persistent attacks however persistent attacks may still be possible in some configurations.
Version 2.3.4 released today fixes this problem.