XSS Vulnerability in strip_tags helper - Ruby on Rails: Security

The old Google Groups will be going away soon, but your browser is incompatible with the new version.

« Groups Home

Ruby on Rails: Security

Home

Discussions

About this group

Join this group

XSS Vulnerability in strip_tags helper

Options

1 message - Collapse all

Aaron Patterson

View profile

More options Aug 16 2011, 5:03 pm

From: Aaron Patterson <aa...@tenderlovemaking.com>

Date: Tue, 16 Aug 2011 14:03:58 -0700

Local: Tues, Aug 16 2011 5:03 pm

Subject: XSS Vulnerability in strip_tags helper

Print | Individual message | Show original | Report this message | Find messages by this author

XSS Vulnerability in strip_tags helper

There is a vulnerability in the strip_tags helper in Ruby On Rails, using specially crafted output an attacker can successfully inject HTML into the document. This vulnerability has been assigned the CVE identifier CVE-YYYY-XXXX.

Versions Affected: All.
Fixed Versions: 3.0.10, 2.3.13, 3.1.0.rc5

Impact
------
The strip_tags helper in Ruby on Rails is designed to remove all HTML tags from a string. By using specially crafted values an attacker can confuse the parser and cause HTML tags to be injected into the response. This can be exploited to inject arbitrary javascript into the rendered page.

Future releases of Ruby on Rails are likely to replace the current HTML tokenizer with one provided by libxml to reduce the likelihood of errors such as these in the future. In the meantime users can install the loofah gem[1] which should enhance both the performance and reliability of the HTML sanitization helpers.

All users running an affected release should either upgrade or use one of the work arounds immediately.

Releases
--------
The 3.0.10, 2.3.13 and v3.1.0.rc5 releases are available at the normal locations.

Workarounds
-----------

Users running a release of rails prior to 3.0 can work around this issue by escaping the result of strip_tags. Replacing:

<%= strip_tags(params[:user_content]) %>

with

<%=h strip_tags(params[:user_content]) %>

Users running 3.0 or later will have to take an additional step to ensure that the output is correctly escaped.

<%= strip_tags(params[:user_content]) %>

must be replaced with

<%=h strip_tags(params[:user_content]).to_str %>

Users running a 2.3 application with the rails_xss plugin installed are advised to upgrade as there is no feasible workaround.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

* 2-3-strip_tags.patch - Patch for 2.3 series
* 3-0-strip_tags.patch - Patch for 3.0 series
* 3-1-strip_tags.patch - Patch for 3.1 series

Please note that only the 2.3.x and 3.0.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible.

Credits
-------

Thanks to Sascha Depold for reporting the vulnerability to us and working with us to verify the fix.

[1] http://loofah.rubyforge.org/loofah/

--
Aaron Patterson
http://tenderlovemaking.com/

2-3-stable-fix-strip-tags.patch
1K Download

3-0-stable-fix-strip-tags.patch
1K Download

3-1-stable-fix-strip-tags.patch
1K Download

application_pgp-signature_part
< 1K Download

End of messages

« Back to Discussions

« Newer topic

Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy

Account Options