---
gem: actionpack
framework: rails
cve: 2013-1857
osvdb: 91454
url: https://nvd.nist.gov/vuln/detail/CVE-2013-1857
title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
date: 2013-03-19

description: |
  The sanitize helper in Ruby on Rails is designed to
  filter HTML and remove all tags and attributes which could be
  malicious. The code which ensured that URLs only contain supported
  protocols contained several bugs which could allow an attacker to
  embed a tag containing a URL which executes arbitrary javascript
  code.

cvss_v2: 4.3

patched_versions:
  - ~> 2.3.18
  - ~> 3.1.12
  - ">= 3.2.13"