Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: actionview
date: 2016-08-11
url: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
cve: 2016-6316
title: Possible XSS Vulnerability in Action View
description: |
  There is a possible XSS vulnerability in Action View.  Text declared as "HTML
  safe" will not have quotes escaped when used as attribute values in tag
  helpers.

  Impact
  ------

  Text declared as "HTML safe" when passed as an attribute value to a tag helper
  will not have quotes escaped which can lead to an XSS attack.  Impacted code
  looks something like this:

  ```ruby
  content_tag(:div, "hi", title: user_input.html_safe)
  ```

  Some helpers like the `sanitize` helper will automatically mark strings as
  "HTML safe", so impacted code could also look something like this:

  ```ruby
  content_tag(:div, "hi", title: sanitize(user_input))
  ```

  All users running an affected release should either upgrade or use one of the
  workarounds immediately.

  Workarounds
  -----------
  You can work around this issue by either *not* marking arbitrary user input as
  safe, or by manually escaping quotes like this:

  ```ruby
  def escape_quotes(value)
    value.gsub(/"/, '"'.freeze)
  end

  content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))
  ```
unaffected_versions:
- "< 3.0.0"
patched_versions:
- "~> 4.2.7.1"
- ">= 5.0.0.1"