Unfortunately, we may not expect fix the vulnerability by the current developer because he announced that "unable to keep fixing bugs or work on the next major release".
If you want to continue to use RedCloth for such contents, you should patch for the problem yourself, consider contributing to RedCloth, or otherwise.
What is RedCloth
I recognize RedCloth is a well-known converting Textile library for Ruby.
I reported the PoC to a developer of RedCloth in Feb. 24, 2012: https://gist.github.com/co3k/75b3cb416c342aa1414c
For your convenience, I paste (and some modified) a PoC to the following:
- Feb. 24, 2012 : I reported the problem to a developer (by sending e-mail)
- Feb. 29, 2012 : A developer discloses the issue in this ticket: http://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/243-xss
- Sep. 24, 2014 : Announced "RedCloth needs new maintainers" to take over RedCloth by a developer: https://github.com/jgarber/redcloth/commit/b24f03db023d1653d60dd33b28e09317cd77c6a0
- Dec. 8, 2014 : I reported a site contains XSS issue caused by this RedCloth vulnerability
- Dec. 9, 2014 : I decided to disclose this problem on my site
- Dec. 11, 2014 : Published.
I've confirmed the following versions of RedCloth are affected:
- RedCloth 4.2.9 (November 27, 2011) [latest version]
- RedCloth 4.2.0 (June 10, 2009)
- RedCloth 4.1.9 (February 20, 2009)
- RedCloth 3.0.4 (September 15, 2005)
- RedCloth 3.0.3 (February 6, 2005)
- RedCloth 3.0.2 (February 3, 2005)
- RedCloth 3.0.1 (January 18, 2005)
I couldn't test with RedCloth 4.0.0 to RedCloth 4.1.1 on my environment.
Some projects use their own RedCloth and avoid a type of this problem. I know the Redmine's case.
Redmine uses old RedCloth 3.0.4 but it is very patched: http://www.redmine.org/projects/redmine/repository/changes/trunk/lib/redcloth3.rb and the XSS issue is fixed in http://www.redmine.org/projects/redmine/repository/revisions/2212 . The Redmine's fix looks good to me; limited types of schemes should be accepted so it might help to create your own patch.
Of course using an alternative library or well-maintained fork of RedCloth 4, or filtering user inputted values, or some monkey patching approach might be effective. But I'm sorry too that I can't indicate specific information since I'm not Ruby-aware programmer.