title: XSS vulnerability in rails-html-sanitizer
description: "There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by
Action View's `strip_tags`. \nThis vulnerability has been assigned the CVE identifier
CVE-2015-7579. \n\nVersions Affected: 1.0.2 \nNot affected: 1.0.0, 1.0.1
\nFixed Versions: 1.0.3 \n\nImpact \n------ \nDue to the way that `Rails::Html::FullSanitizer`
is implemented, if an attacker \npasses an already escaped HTML entity to the input
of Action View's `strip_tags` \nthese entities will be unescaped what may cause
a XSS attack if used in combination \nwith `raw` or `html_safe`. \n\nFor example:
\n\n strip_tags(\"<script>alert('XSS')</script>\") \n\nWould generate:
\n\n <script>alert('XSS')</script> \n\nAfter the fix it will generate: \n\n <script>alert('XSS')</script>
\n\nAll users running an affected release should either upgrade or use one of the
\nworkarounds immediately. \n\nReleases \n-------- \nThe FIXED releases are available
at the normal locations. \n\nWorkarounds \n----------- \nIf you can't upgrade, please
use the following monkey patch in an initializer \nthat is loaded before your application:
\n\n``` \n$ cat config/initializers/strip_tags_fix.rb \nclass ActionView::Base \n
\ def strip_tags(html) \n self.class.full_sanitizer.sanitize(html) \n end \nend
\n``` \n\nPatches \n------- \nTo aid users who aren't able to upgrade immediately
we have provided patches \nfor the two supported release series. They are in git-am
format and consist \nof a single changeset. \n\n* Do-not-unescape-already-escaped-HTML-entities.patch
\n\nCredits \n------- \nThank you to Arthur Neves from GitHub and Spyros Livathinos
from Zendesk for \nreporting the problem and working with us to fix it. \n"
- "~> 1.0.0"
- "~> 1.0.1"
- "~> 1.0.3"