---
gem: actionpack
framework: rails
cve: 2013-6416
osvdb: 100526
url: https://groups.google.com/forum/#!topic/ruby-security-ann/5ZI1-H5OoIM
title: XSS Vulnerability in simple_format helper
date: 2013-12-03

description: |
  There is a vulnerability in the simple_format helper in Ruby on Rails.
  The simple_format helper converts user supplied text into html text 
  which is intended to be safe for display. A change made to the 
  implementation of this helper means that any user provided HTML 
  attributes will not be escaped correctly. As a result of this error, 
  applications which pass user-controlled data to be included as html 
  attributes will be vulnerable to an XSS attack.

cvss_v2: 

unaffected_versions:
  - ~> 2.3.0
  - ~> 3.1.0
  - ~> 3.2.0

patched_versions:
  - ">= 4.0.2"