- < 4.1.0
- >= 4.2.2
- ~> 4.1.11
Hash containing user-controlled data is encode as JSON (either through
ActiveSupport::JSON.encode), Rails does not perform adequate
escaping that matches the guarantee implied by the
option (which is enabled by default). If this resulting JSON string is subsequently
inserted directly into an HTML page, the page will be vulnerable to XSS attacks.
For example, the following code snippet is vulnerable to this attack:
Similarly, the following is also vulnerable:
<script> var data = <%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %>; </script>
All applications that renders JSON-encoded strings that contains user-controlled data in their views should either upgrade to one of the FIXED versions or use the suggested workaround immediately.
To work around this problem add an initializer with the following code:
module ActiveSupport module JSON module Encoding private class EscapedString def to_s self end end end end end