Potential XSS Vulnerability in auto_link()

[Aaron Patterson]

There is a weakness in the auto_link helper in rails 3.0.x. Irrespective of the
parameters provided, auto_link marks its output as safe causing the resulting
string to be output directly to the client. In certain circumstances an
attacker may be able to use this to exploit an application.

## Impact

Applications which pass untrusted data to auto_link may be vulnerable to XSS
attacks. For example:

<%= auto_link(params[:content]) %>

## Releases

The fix for this is to ensure that the return value of auto_link is never marked
as safe, allowing users to call sanitize or raw depending on their
circumstances. The 3.0.6 release contains this change and is available the
regular locations.

After upgrading users will have to audit their calls to auto_link and either
sanitize the resulting values or call raw where those values have been
previously sanitized. For example, untrusted data will change from:

<%= auto_link(@user.bio) %>

To:
<%= sanitize(auto_link(@user.bio)) %>

Trusted data can be passed directly to the client by calling raw:

<%= raw(auto_link(ADMIN_CONTENT)) %>

## Patches

People who are unable to upgrade can apply the attached patch directly to their
rails installation. This patch should apply cleanly to 3.0.x

## Work around

To work around this problem without applying the patch, use the "sanitize"
method around your calls to auto_link():

<%= sanitize(auto_link(params[:content])) %>

## Credits

Thanks to Torben Schulz for reporting this bug.

--
Aaron Patterson
http://tenderlovemaking.com/