XSS Vulnerability in strip_tags helper

515 views
Skip to first unread message

Aaron Patterson

unread,
Aug 16, 2011, 5:03:58 PM8/16/11
to rubyonrail...@googlegroups.com
XSS Vulnerability in strip_tags helper

There is a vulnerability in the strip_tags helper in Ruby On Rails, using specially crafted output an attacker can successfully inject HTML into the document. This vulnerability has been assigned the CVE identifier CVE-YYYY-XXXX.

Versions Affected: All.
Fixed Versions: 3.0.10, 2.3.13, 3.1.0.rc5

Impact
------
The strip_tags helper in Ruby on Rails is designed to remove all HTML tags from a string. By using specially crafted values an attacker can confuse the parser and cause HTML tags to be injected into the response. This can be exploited to inject arbitrary javascript into the rendered page.

Future releases of Ruby on Rails are likely to replace the current HTML tokenizer with one provided by libxml to reduce the likelihood of errors such as these in the future. In the meantime users can install the loofah gem[1] which should enhance both the performance and reliability of the HTML sanitization helpers.

All users running an affected release should either upgrade or use one of the work arounds immediately.

Releases
--------
The 3.0.10, 2.3.13 and v3.1.0.rc5 releases are available at the normal locations.

Workarounds
-----------

Users running a release of rails prior to 3.0 can work around this issue by escaping the result of strip_tags. Replacing:

<%= strip_tags(params[:user_content]) %>

with

<%=h strip_tags(params[:user_content]) %>

Users running 3.0 or later will have to take an additional step to ensure that the output is correctly escaped.

<%= strip_tags(params[:user_content]) %>

must be replaced with

<%=h strip_tags(params[:user_content]).to_str %>

Users running a 2.3 application with the rails_xss plugin installed are advised to upgrade as there is no feasible workaround.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

* 2-3-strip_tags.patch - Patch for 2.3 series
* 3-0-strip_tags.patch - Patch for 3.0 series
* 3-1-strip_tags.patch - Patch for 3.1 series

Please note that only the 2.3.x and 3.0.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible.

Credits
-------

Thanks to Sascha Depold for reporting the vulnerability to us and working with us to verify the fix.

[1] http://loofah.rubyforge.org/loofah/

--
Aaron Patterson
http://tenderlovemaking.com/

2-3-stable-fix-strip-tags.patch
3-0-stable-fix-strip-tags.patch
3-1-stable-fix-strip-tags.patch
Reply all
Reply to author
Forward
0 new messages