Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: ember-source
date: 2016-01-14
url: https://groups.google.com/forum/#!topic/ember-security/OfyQkoSuppY
cve: 2015-7565
title: Ember.js XSS Vulnerability with User-Supplied JSON
description: |
  By default, Ember will escape any values in Handlebars templates that
  use double curlies (`{{value}}`). Developers can specifically opt out of
  this escaping behavior by passing an instance of `SafeString` rather
  than a raw string, which tells Ember that it should not escape the
  string because the developer has taken responsibility for escapement.

  It is possible for an attacker to create a specially-crafted payload
  that causes a non-sanitized string to be treated as a `SafeString`, and
  thus bypass Ember's normal escaping behavior. This could allow an
  attacker to execute arbitrary JavaScript in the context of the current
  domain ("XSS").

  All users running an affected release should either upgrade or use of
  the workarounds immediately.
unaffected_versions:
- "< 1.8.0"
patched_versions:
- "~> 1.11.4"
- "~> 1.12.2"
- "~> 1.13.12"
- "~> 2.0.3"
- "~> 2.1.2"
- ">= 2.2.1"