CVE-2020-15169 (actionview): Potential XSS vulnerability in Action View

ADVISORIES

GEM

actionview

FRAMEWORK

Ruby on Rails

SEVERITY

CVSS v3.x: 5.4 (Medium)

PATCHED VERSIONS

~> 5.2.4, >= 5.2.4.4
>= 6.0.3.3

DESCRIPTION

There is a potential Cross-Site Scripting (XSS) vulnerability in Action View’s translation helpers. Views that allow the user to control the default (not found) value of the t and translate helpers could be susceptible to XSS attacks.

Impact

When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. Vulnerable code may look like the following examples:

&lt;%# The welcome_html translation is not defined for the current locale: %&gt;
&lt;%= t(&quot;welcome_html&quot;, default: untrusted_user_controlled_string) %&gt;

&lt;%# Neither the title.html translation nor the missing.html translation is defined for the current locale: %&gt;
&lt;%= t(&quot;title.html&quot;, default: [:&quot;missing.html&quot;, untrusted_user_controlled_string]) %&gt;

Workarounds

Impacted users who can’t upgrade to a patched Rails version can avoid this issue by manually escaping default translations with the html_escape helper (aliased as h):

&lt;%= t(&quot;welcome_html&quot;, default: h(untrusted_user_controlled_string)) %&gt;

RubySec