oss-sec mailing list archives
[CVE-2015-7579] XSS vulnerability in rails-html-sanitizer
From: Aaron Patterson <tenderlove () ruby-lang org>
Date: Mon, 25 Jan 2016 11:35:37 -0800
XSS vulnerability in rails-html-sanitizer There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by Action View's `strip_tags`. This vulnerability has been assigned the CVE identifier CVE-2015-7579. Versions Affected: 1.0.2 Not affected: 1.0.0, 1.0.1 Fixed Versions: 1.0.3 Impact ------ Due to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker passes an already escaped HTML entity to the input of Action View's `strip_tags` these entities will be unescaped what may cause a XSS attack if used in combination with `raw` or `html_safe`. For example: strip_tags("<script>alert('XSS')</script>") Would generate: <script>alert('XSS')</script> After the fix it will generate: <script>alert('XSS')</script> All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- If you can't upgrade, please use the following monkey patch in an initializer that is loaded before your application: ``` $ cat config/initializers/strip_tags_fix.rb class ActionView::Base def strip_tags(html) self.class.full_sanitizer.sanitize(html) end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * Do-not-unescape-already-escaped-HTML-entities.patch Credits ------- Thank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for reporting the problem and working with us to fix it. -- Aaron Patterson http://tenderlovemaking.com/
Attachment:
Do-not-unescape-already-escaped-HTML-entities.patch
Description:
Attachment:
_bin
Description:
Current thread:
- [CVE-2015-7579] XSS vulnerability in rails-html-sanitizer Aaron Patterson (Jan 25)