XSS Vulnerability With {{link-to}} Helper in Non-block Form
There is a vulnerability in the {{link-to}} helper in Ember.js.
Versions Affected: 1.2.0, 1.2.1, 1.3.0, 1.3.1
Not affected: Versions prior to 1.2
Fixed Versions: 1.2.2, 1.3.2
Impact
-------
In general, Ember.js escapes or strips any user-supplied content before
inserting it in strings that will be sent to innerHTML. However, a change made
to the implementation of the {{link-to}} helper means that any user-supplied
data bound to the {{link-to}} helper's title attribute will not be escaped
correctly.
In applications that use the {{link-to}} helper in non-block form and bind
the title attribute to user-supplied content, a specially-crafted payload
could execute arbitrary JavaScript in the context of the current domain
("XSS").
All users running an affected release and binding user-supplied data to the
{{link-to}} helper's title attribute should either upgrade or use one of the
workarounds immediately.
Releases
--------
Releases are available on
emberjs.com/builds/#/tagged
Workarounds
-----------
Ensure that you escape any user-supplied value that you bind to the {{link-to}}
helper's title attribute. For example, if you bind a value named userTitle:
{{link-to "user" title=userTitle}}
Ensure that you escape the value of userTitle using
Ember.Handlebars.Utils.escapeExpression:
var userTitle = this.get('userTitle');
var safeUserTitle = Ember.Handlebars.Utils.escapeExpression(userTitle);
this.set('userTitle', safeUserTitle);
Patches
-------
To aid users who aren't able to upgrade immediately, we have provided patches
for 1.2.0, 1.2.1, 1.3.0 and 1.3.1. They are in git-am format and consist of a
single changeset.
patch_for_1.2.0.diff
patch_for_1.2.1.diff
patch_for_1.3.0.diff
patch_for_1.3.1.diff
Credits
-------
This vulnerability was reported to us by Hyder Ali of Zoho. Many thanks for
working with us on the patches and advisory.