XSS vulnerability in rails-html-sanitizer
There is a XSS vulnerability in Rails::Html::FullSanitizer
used by Action View’s strip_tags
.
This vulnerability has been assigned the CVE identifier CVE-2015-7579.
Versions Affected: 1.0.2
Not affected: 1.0.0, 1.0.1
Fixed Versions: 1.0.3
Due to the way that Rails::Html::FullSanitizer
is implemented, if an attacker
passes an already escaped HTML entity to the input of Action View’s strip_tags
these entities will be unescaped what may cause a XSS attack if used in combination
with raw
or html_safe
.
For example:
strip_tags("<script>alert('XSS')</script>")
Would generate:
<script>alert('XSS')</script>
After the fix it will generate:
<script>alert('XSS')</script>
All users running an affected release should either upgrade or use one of the
workarounds immediately.
The FIXED releases are available at the normal locations.
If you can’t upgrade, please use the following monkey patch in an initializer
that is loaded before your application:
$ cat config/initializers/strip_tags_fix.rb
class ActionView::Base
def strip_tags(html)
self.class.full_sanitizer.sanitize(html)
end
end