Sha256: 81f17746e104b9e4b7005cc604c43c9b3a60ed3a0821fdb250868e21c604998d
Contents?: true
Size: 1.54 KB
Versions: 5
Compression:
Stored size: 1.54 KB
Contents
---
gem: activesupport
cve: 2015-3226
url: https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU
title: |
XSS Vulnerability in ActiveSupport::JSON.encode
date: 2015-06-16
description: |
When a `Hash` containing user-controlled data is encode as JSON (either through
`Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate
escaping that matches the guarantee implied by the `escape_html_entities_in_json`
option (which is enabled by default). If this resulting JSON string is subsequently
inserted directly into an HTML page, the page will be vulnerable to XSS attacks.
For example, the following code snippet is vulnerable to this attack:
<%= javascript_tag "var data = #{user_supplied_data.to_json};" %>
Similarly, the following is also vulnerable:
<script>
var data = <%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %>;
</script>
All applications that renders JSON-encoded strings that contains user-controlled
data in their views should either upgrade to one of the FIXED versions or use
the suggested workaround immediately.
Workarounds
-----------
To work around this problem add an initializer with the following code:
module ActiveSupport
module JSON
module Encoding
private
class EscapedString
def to_s
self
end
end
end
end
end
unaffected_versions:
- "< 4.1.0"
patched_versions:
- ">= 4.2.2"
- "~> 4.1.11"
Version data entries
5 entries across 5 versions & 2 rubygems