[CVE-2015-7579] XSS vulnerability in rails-html-sanitizer

[Aaron Patterson <tenderlove () ruby-lang org>]

XSS vulnerability in rails-html-sanitizer

There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by Action View's `strip_tags`.
This vulnerability has been assigned the CVE identifier CVE-2015-7579.

Versions Affected:  1.0.2
Not affected:       1.0.0, 1.0.1
Fixed Versions:     1.0.3

Impact
------
Due to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker
passes an already escaped HTML entity to the input of Action View's `strip_tags`
these entities will be unescaped what may cause a XSS attack if used in combination
with `raw` or `html_safe`.

For example:

    strip_tags("<script>alert('XSS')</script>")

Would generate:

    <script>alert('XSS')</script>

After the fix it will generate:

    &lt;script&gt;alert('XSS')&lt;/script&gt;

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
If you can't upgrade, please use the following monkey patch in an initializer
that is loaded before your application:

```
$ cat config/initializers/strip_tags_fix.rb
class ActionView::Base
  def strip_tags(html)
    self.class.full_sanitizer.sanitize(html)
  end
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches
for the two supported release series. They are in git-am format and consist
of a single changeset.

* Do-not-unescape-already-escaped-HTML-entities.patch

Credits
-------
Thank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for
reporting the problem and working with us to fix it.

-- 
Aaron Patterson
http://tenderlovemaking.com/

Attachment: Do-not-unescape-already-escaped-HTML-entities.patch
Description:

Attachment: _bin
Description: