title: XSS Vulnerability in Chartkick Ruby Gem
Chartkick is vulnerable to a cross-site scripting (XSS) attack if
both the following conditions are met:
It's used with `ActiveSupport.escape_html_entities_in_json = false`
(this is not the default for Rails)
OR used with a non-Rails framework like Sinatra.
Untrusted data or options are passed to a chart.
<%= line_chart params[:data], min: params[:min] %>
- ">= 3.2.0"