-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
CVE-2016-6316.yml
55 lines (46 loc) · 1.49 KB
/
CVE-2016-6316.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
---
gem: actionpack
framework: rails
cve: 2016-6316
ghsa: pc3m-v286-2jwj
url: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
title: Possible XSS Vulnerability in Action View
date: 2016-08-11
description: |
There is a possible XSS vulnerability in Action View. Text declared as "HTML
safe" will not have quotes escaped when used as attribute values in tag
helpers.
Impact
------
Text declared as "HTML safe" when passed as an attribute value to a tag helper
will not have quotes escaped which can lead to an XSS attack. Impacted code
looks something like this:
```ruby
content_tag(:div, "hi", title: user_input.html_safe)
```
Some helpers like the `sanitize` helper will automatically mark strings as
"HTML safe", so impacted code could also look something like this:
```ruby
content_tag(:div, "hi", title: sanitize(user_input))
```
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Workarounds
-----------
You can work around this issue by either *not* marking arbitrary user input as
safe, or by manually escaping quotes like this:
```ruby
def escape_quotes(value)
value.gsub(/"/, '"'.freeze)
end
content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))
```
cvss_v3: 6.1
unaffected_versions:
- "< 3.0.0"
- ">= 4.1.0"
patched_versions:
- "~> 3.2.22.3"
- "~> 4.2.7.1"
- ">= 5.0.0.1"
notes: "Newer versions are affected, but tracked in the actionview gem."