Sha256: d5fc593b665fa6ce5d85ff4932d89de462e5c330c1c0dc844cd6337e77df2622
Contents?: true
Size: 1.46 KB
Versions: 5
Compression:
Stored size: 1.46 KB
Contents
---
gem: actionpack
framework: rails
cve: 2016-6316
date: 2016-08-11
url: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
title: Possible XSS Vulnerability in Action View
description: |
There is a possible XSS vulnerability in Action View. Text declared as "HTML
safe" will not have quotes escaped when used as attribute values in tag
helpers.
Impact
------
Text declared as "HTML safe" when passed as an attribute value to a tag helper
will not have quotes escaped which can lead to an XSS attack. Impacted code
looks something like this:
```ruby
content_tag(:div, "hi", title: user_input.html_safe)
```
Some helpers like the `sanitize` helper will automatically mark strings as
"HTML safe", so impacted code could also look something like this:
```ruby
content_tag(:div, "hi", title: sanitize(user_input))
```
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Workarounds
-----------
You can work around this issue by either *not* marking arbitrary user input as
safe, or by manually escaping quotes like this:
```ruby
def escape_quotes(value)
value.gsub(/"/, '"'.freeze)
end
content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))
```
unaffected_versions:
- "< 3.0.0"
# Newer versions are affected, but tracked in the actionview gem.
- ">= 4.1.0"
patched_versions:
- ~> 3.2.22.3
- ~> 4.2.7.1
- ">= 5.0.0.1"
Version data entries
5 entries across 5 versions & 2 rubygems