[CVE-2015-7579] XSS vulnerability in rails-html-sanitizer
3,191 views
Skip to first unread message
Aaron Patterson
Jan 25, 2016, 2:35:51 PM1/25/16
to secu...@suse.de, rubyonrail...@googlegroups.com, oss-se...@lists.openwall.com, ruby-sec...@googlegroups.com
XSS vulnerability in rails-html-sanitizer
There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by Action View's `strip_tags`.
This vulnerability has been assigned the CVE identifier CVE-2015-7579.
Versions Affected: 1.0.2
Not affected: 1.0.0, 1.0.1
Fixed Versions: 1.0.3
Impact
------
Due to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker
passes an already escaped HTML entity to the input of Action View's `strip_tags`
these entities will be unescaped what may cause a XSS attack if used in combination
with `raw` or `html_safe`.
For example:
strip_tags("<script>alert('XSS')</script>")
Would generate:
<script>alert('XSS')</script>
After the fix it will generate:
<script>alert('XSS')</script>
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
--------
The FIXED releases are available at the normal locations.
Workarounds
-----------
If you can't upgrade, please use the following monkey patch in an initializer
that is loaded before your application:
```
$ cat config/initializers/strip_tags_fix.rb
class ActionView::Base
def strip_tags(html)
self.class.full_sanitizer.sanitize(html)
end
end
```
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches
for the two supported release series. They are in git-am format and consist
of a single changeset.
* Do-not-unescape-already-escaped-HTML-entities.patch
Credits
-------
Thank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for
reporting the problem and working with us to fix it.
--
Aaron Patterson
http://tenderlovemaking.com/
There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by Action View's `strip_tags`.
This vulnerability has been assigned the CVE identifier CVE-2015-7579.
Versions Affected: 1.0.2
Not affected: 1.0.0, 1.0.1
Fixed Versions: 1.0.3
Impact
------
Due to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker
passes an already escaped HTML entity to the input of Action View's `strip_tags`
these entities will be unescaped what may cause a XSS attack if used in combination
with `raw` or `html_safe`.
For example:
strip_tags("<script>alert('XSS')</script>")
Would generate:
<script>alert('XSS')</script>
After the fix it will generate:
<script>alert('XSS')</script>
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
--------
The FIXED releases are available at the normal locations.
Workarounds
-----------
If you can't upgrade, please use the following monkey patch in an initializer
that is loaded before your application:
```
$ cat config/initializers/strip_tags_fix.rb
class ActionView::Base
def strip_tags(html)
self.class.full_sanitizer.sanitize(html)
end
end
```
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches
for the two supported release series. They are in git-am format and consist
of a single changeset.
* Do-not-unescape-already-escaped-HTML-entities.patch
Credits
-------
Thank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for
reporting the problem and working with us to fix it.
--
Aaron Patterson
http://tenderlovemaking.com/
Reply all
Reply to author
Forward
0 new messages