- < 3.0.0
- ~> 126.96.36.199
- ~> 4.2.8
- >= 188.8.131.52
There is a possible XSS vulnerability in Action View. Text declared as “HTML safe” will not have quotes escaped when used as attribute values in tag helpers.
Text declared as “HTML safe” when passed as an attribute value to a tag helper will not have quotes escaped which can lead to an XSS attack. Impacted code looks something like this:
content_tag(:div, "hi", title: user_input.html_safe)
Some helpers like the
sanitize helper will automatically mark strings as
“HTML safe”, so impacted code could also look something like this:
content_tag(:div, "hi", title: sanitize(user_input))
All users running an affected release should either upgrade or use one of the workarounds immediately.
You can work around this issue by either not marking arbitrary user input as safe, or by manually escaping quotes like this:
def escape_quotes(value) value.gsub(/"/, '"'.freeze) end content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))