XSS Vulnerability in ActiveSupport::JSON.encode
When a `Hash` containing user-controlled data is encode as JSON (either through
`Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate
escaping that matches the guarantee implied by the `escape_html_entities_in_json`
option (which is enabled by default). If this resulting JSON string is subsequently
inserted directly into an HTML page, the page will be vulnerable to XSS attacks.
For example, the following code snippet is vulnerable to this attack:
Similarly, the following is also vulnerable:
All applications that renders JSON-encoded strings that contains user-controlled
data in their views should either upgrade to one of the FIXED versions or use
the suggested workaround immediately.
To work around this problem add an initializer with the following code:
Am I vulnerable?
The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.
Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.Sign up for monitoring
Affected package information
|Package||Patched in||Unaffected in|