I encountered the following a blog post on RJS leaking vulnerability in multiple Rails applications. Mike Hartl's book uses RJS.
Is it dangerous to use RJS. The problem is that the blog post I linked to is short on details and I don't understand it. Could someone give a detailed explaination of what the problem is?
Blog entries about security vulnerabilities must walk the line between telling insiders enough to fix (or exploit) the problem, while at least not telling script kiddies enough that they graduate to hacker.
The post talks about js.erb files that automagically expand their form authentication_tokens, and about actions that automatically dump all your data into JS when hit with an HTTPs with Accepts=text/javascript. Entry-level Rails should not do either of those things, so if the poster has escalated the problem to the Rails lifers, and if they have not hit the panic button, then you probably don't need to worry about it.