Cross-site Scripting (XSS) Affecting actionview package, versions >=5.0.0.0, <5.0.0.1>=3.2.23, <4.2.7.1>=3.0.0, <3.2.22.3


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.37% (73rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Scripting (XSS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUBY-ACTIONVIEW-20271
  • published10 Aug 2016
  • disclosed10 Aug 2016
  • creditAndrew Carpenter

Introduced: 10 Aug 2016

CVE-2016-6316  (opens in a new tab)
CWE-79  (opens in a new tab)

Overview

actionview is a conventions and helpers gem for building web pages.

Affected versions of this Gem are vulnerable to Cross-site Scripting (XSS) attacks via unescaped quotes when used as attribute values in tag helpers.

Text declared as "HTML safe" when passed as an attribute value to a tag helper will not have quotes escaped which can lead to a Cross-site Scripting (XSS) attack. Impacted code looks something like this:

content_tag(:div, "hi", title: user_input.html_safe)

Some helpers like the sanitize helper will automatically mark strings as "HTML safe", so impacted code could also look something like this:

content_tag(:div, "hi", title: sanitize(user_input))

All users running an affected release should either upgrade or use one of the workarounds immediately.

You can work around this issue by either not marking arbitrary user input as safe, or by manually escaping quotes like this:

def escape_quotes(value)
  value.gsub(/"/, '&quot;'.freeze)
end

content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))

Details

<>

CVSS Scores

version 3.1