oss-sec mailing list archives
[CVE-2014-0046] XSS Vulnerability With {{link-to}} Helper in Non-block Form
From: Tom Dale <tom () tomdale net>
Date: Fri, 14 Feb 2014 10:05:12 -0800
XSS Vulnerability With {{link-to}} Helper in Non-block Form There is a vulnerability in the {{link-to}} helper in Ember.js. This vulnerability has been assigned CVE-2014-0046. Versions Affected: 1.2.0, 1.2.1, 1.3.0, 1.3.1 Not affected: Versions prior to 1.2 Fixed Versions: 1.2.2, 1.3.2 Impact ------- In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, a change made to the implementation of the {{link-to}} helper means that any user-supplied data bound to the {{link-to}} helper's title attribute will not be escaped correctly. In applications that use the {{link-to}} helper in non-block form and bind the title attribute to user-supplied content, a specially-crafted payload could execute arbitrary JavaScript in the context of the current domain ("XSS"). All users running an affected release and binding user-supplied data to the {{link-to}} helper's title attribute should either upgrade or use one of the workarounds immediately. Releases -------- Releases are available on emberjs.com/builds/#/tagged Workarounds ----------- Ensure that you escape any user-supplied value that you bind to the {{link-to}} helper's title attribute. For example, if you bind a value named userTitle: {{link-to "user" title=userTitle}} Ensure that you escape the value of userTitle using Ember.Handlebars.Utils.escapeExpression: var userTitle = this.get('userTitle'); var safeUserTitle = Ember.Handlebars.Utils.escapeExpression(userTitle); this.set('userTitle', safeUserTitle); Patches ------- Patches are available as an attachment to the announcement on the emberjs-security list: https://groups.google.com/forum/#!topic/ember-security/1h6FRgr8lXQ Credits ------- This vulnerability was reported to us by Hyder Ali of Zoho. Many thanks for working with us on the patches and advisory.
Current thread:
- [CVE-2014-0046] XSS Vulnerability With {{link-to}} Helper in Non-block Form Tom Dale (Feb 14)