RubySec

Providing security resources for the Ruby community

CVE-2016-6316 (actionview): Possible XSS Vulnerability in Action View

ADVISORIES

GEM

actionview

FRAMEWORK

rails

UNAFFECTED VERSIONS

  • < 3.0.0

PATCHED VERSIONS

  • ~> 4.2.7.1
  • ~> 4.2.8
  • >= 5.0.0.1

DESCRIPTION

There is a possible XSS vulnerability in Action View. Text declared as “HTML safe” will not have quotes escaped when used as attribute values in tag helpers.

Impact

Text declared as “HTML safe” when passed as an attribute value to a tag helper will not have quotes escaped which can lead to an XSS attack. Impacted code looks something like this:

content_tag(:div, "hi", title: user_input.html_safe)

Some helpers like the sanitize helper will automatically mark strings as “HTML safe”, so impacted code could also look something like this:

content_tag(:div, "hi", title: sanitize(user_input))

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

You can work around this issue by either not marking arbitrary user input as safe, or by manually escaping quotes like this:

def escape_quotes(value)
  value.gsub(/"/, '&quot;'.freeze)
end

content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))