Possible XSS Vulnerability in Action View

Metadata

medium
4.3
actionview
CVE-2016-6316
groups.google.com
2016-08-11
2017-06-16 19:20
CVE-2016-6316 ruby-actionpack-3.2
CVE-2016-6316 rails
Possible XSS Vulnerability in Action View
CVE-2016-6316
2017-04-01 19:11
2017-02-22 23:03
2017-01-31 17:03
2017-01-05 20:15

Description

There is a possible XSS vulnerability in Action View. Text declared as "HTML
safe" will not have quotes escaped when used as attribute values in tag
helpers.

Impact
------

Text declared as "HTML safe" when passed as an attribute value to a tag helper
will not have quotes escaped which can lead to an XSS attack. Impacted code
looks something like this:

```ruby
content_tag(:div, "hi", title: user_input.html_safe)
```

Some helpers like the `sanitize` helper will automatically mark strings as
"HTML safe", so impacted code could also look something like this:

```ruby
content_tag(:div, "hi", title: sanitize(user_input))
```

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Workarounds
-----------
You can work around this issue by either *not* marking arbitrary user input as
safe, or by manually escaping quotes like this:

```ruby
def escape_quotes(value)
value.gsub(/"/, '"'.freeze)
end

content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))
```

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Package Patched in Unaffected in
actionview ~> 4.2.7.1,~> 4.2.8,>= 5.0.0.1 < 3.0.0