---
gem: rails-html-sanitizer
cve: 2015-7579
date: 2016-01-25
url: "https://groups.google.com/forum/#!topic/rubyonrails-security/OU9ugTZcbjc"

title: XSS vulnerability in rails-html-sanitizer

description: |
  There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by Action View's `strip_tags`. 
  This vulnerability has been assigned the CVE identifier CVE-2015-7579. 

  Versions Affected:  1.0.2 
  Not affected:       1.0.0, 1.0.1 
  Fixed Versions:     1.0.3 

  Impact 
  ------ 
  Due to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker 
  passes an already escaped HTML entity to the input of Action View's `strip_tags` 
  these entities will be unescaped what may cause a XSS attack if used in combination 
  with `raw` or `html_safe`. 

  For example: 

      strip_tags("<script>alert('XSS')</script>") 

  Would generate: 

      <script>alert('XSS')</script> 

  After the fix it will generate: 

      &lt;script&gt;alert('XSS')&lt;/script&gt; 

  All users running an affected release should either upgrade or use one of the 
  workarounds immediately. 

  Releases 
  -------- 
  The FIXED releases are available at the normal locations. 

  Workarounds 
  ----------- 
  If you can't upgrade, please use the following monkey patch in an initializer 
  that is loaded before your application: 

  ``` 
  $ cat config/initializers/strip_tags_fix.rb 
  class ActionView::Base 
    def strip_tags(html) 
      self.class.full_sanitizer.sanitize(html) 
    end 
  end 
  ``` 

  Patches 
  ------- 
  To aid users who aren't able to upgrade immediately we have provided patches 
  for the two supported release series. They are in git-am format and consist 
  of a single changeset. 

  * Do-not-unescape-already-escaped-HTML-entities.patch 

  Credits 
  ------- 
  Thank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for 
  reporting the problem and working with us to fix it. 

unaffected_versions:
  - "~> 1.0.0"
  - "~> 1.0.1"

patched_versions:
  - ">= 1.0.3"