---
gem: chartkick
cve: 2019-12732
url: https://github.com/ankane/chartkick/issues/488
title: XSS Vulnerability in Chartkick Ruby Gem
date: 2019-06-04
description: |
  Chartkick is vulnerable to a cross-site scripting (XSS) attack if
  both the following conditions are met:

  Condition 1:
    It's used with `ActiveSupport.escape_html_entities_in_json = false`
    (this is not the default for Rails)
    OR used with a non-Rails framework like Sinatra.

  Condition 2:
    Untrusted data or options are passed to a chart.

    <%= line_chart params[:data], min: params[:min] %>
patched_versions:
  - ">= 3.2.0"