RubySec

Providing security resources for the Ruby community

CVE-2014-0046 (ember-source): Ember.js XSS Vulnerability With {{link-to}} Helper in Non-block Form

ADVISORIES

GEM

ember-source

UNAFFECTED VERSIONS

  • < 1.2.0

PATCHED VERSIONS

  • ~> 1.2.2
  • >= 1.3.2

DESCRIPTION

In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, a change made to the implementation of the {{link-to}} helper means that any user-supplied data bound to the {{link-to}} helper’s title attribute will not be escaped correctly.

In applications that use the {{link-to}} helper in non-block form and bind the title attribute to user-supplied content, a specially-crafted payload could execute arbitrary JavaScript in the context of the current domain (“XSS”).

All users running an affected release and binding user-supplied data to the {{link-to}} helper’s title attribute should either upgrade or use one of the workarounds immediately.