Sha256: e9abda75ebdd0528e1b41ed197e8162d2ee6131555ad8cf1bf18ad2385f5851a
Contents?: true
Size: 1.44 KB
Versions: 5
Compression:
Stored size: 1.44 KB
Contents
---
gem: actionview
framework: rails
cve: 2016-6316
date: 2016-08-11
url: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
title: Possible XSS Vulnerability in Action View
description: |
There is a possible XSS vulnerability in Action View. Text declared as "HTML
safe" will not have quotes escaped when used as attribute values in tag
helpers.
Impact
------
Text declared as "HTML safe" when passed as an attribute value to a tag helper
will not have quotes escaped which can lead to an XSS attack. Impacted code
looks something like this:
```ruby
content_tag(:div, "hi", title: user_input.html_safe)
```
Some helpers like the `sanitize` helper will automatically mark strings as
"HTML safe", so impacted code could also look something like this:
```ruby
content_tag(:div, "hi", title: sanitize(user_input))
```
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Workarounds
-----------
You can work around this issue by either *not* marking arbitrary user input as
safe, or by manually escaping quotes like this:
```ruby
def escape_quotes(value)
value.gsub(/"/, '"'.freeze)
end
content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))
```
unaffected_versions:
- "< 3.0.0"
# "~> 3.2.22.3" is found in gems/actionpack/CVE-2016-6316.yml
patched_versions:
- "~> 4.2.7.1"
- "~> 4.2.8"
- ">= 5.0.0.1"
Version data entries
5 entries across 5 versions & 2 rubygems