ADVISORIES
GEM
FRAMEWORK
SEVERITY
CVSS v3.x: 6.1 (Medium)
UNAFFECTED VERSIONS
- < 3.0.0
PATCHED VERSIONS
- ~> 4.2.7.1
- ~> 4.2.8
- >= 5.0.0.1
DESCRIPTION
There is a possible XSS vulnerability in Action View. Text declared as "HTML safe" will not have quotes escaped when used as attribute values in tag helpers.
Impact
Text declared as "HTML safe" when passed as an attribute value to a tag helper will not have quotes escaped which can lead to an XSS attack. Impacted code looks something like this:
content_tag(:div, "hi", title: user_input.html_safe)
Some helpers like the sanitize helper will automatically mark strings as
"HTML safe", so impacted code could also look something like this:
content_tag(:div, "hi", title: sanitize(user_input))
All users running an affected release should either upgrade or use one of the workarounds immediately.
Workarounds
You can work around this issue by either not marking arbitrary user input as safe, or by manually escaping quotes like this:
def escape_quotes(value)
value.gsub(/"/, '&quot;'.freeze)
end
content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))