Sha256: 70a3ba1405b71baa1a014b443965c1c2abe5999affaf51c0a12ab49b8e341ac4
Contents?: true
Size: 2 KB
Versions: 3
Compression:
Stored size: 2 KB
Contents
---
gem: rails-html-sanitizer
cve: 2015-7579
date: 2016-01-25
url: "https://groups.google.com/forum/#!topic/rubyonrails-security/OU9ugTZcbjc"
title: XSS vulnerability in rails-html-sanitizer
description: |
There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by Action View's `strip_tags`.
This vulnerability has been assigned the CVE identifier CVE-2015-7579.
Versions Affected: 1.0.2
Not affected: 1.0.0, 1.0.1
Fixed Versions: 1.0.3
Impact
------
Due to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker
passes an already escaped HTML entity to the input of Action View's `strip_tags`
these entities will be unescaped what may cause a XSS attack if used in combination
with `raw` or `html_safe`.
For example:
strip_tags("<script>alert('XSS')</script>")
Would generate:
<script>alert('XSS')</script>
After the fix it will generate:
<script>alert('XSS')</script>
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
--------
The FIXED releases are available at the normal locations.
Workarounds
-----------
If you can't upgrade, please use the following monkey patch in an initializer
that is loaded before your application:
```
$ cat config/initializers/strip_tags_fix.rb
class ActionView::Base
def strip_tags(html)
self.class.full_sanitizer.sanitize(html)
end
end
```
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches
for the two supported release series. They are in git-am format and consist
of a single changeset.
* Do-not-unescape-already-escaped-HTML-entities.patch
Credits
-------
Thank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for
reporting the problem and working with us to fix it.
unaffected_versions:
- "~> 1.0.0"
- "~> 1.0.1"
patched_versions:
- "~> 1.0.3"
Version data entries
3 entries across 3 versions & 1 rubygems