[CVE-2015-1866] Ember.js XSS Vulnerability With {{view "select"}}
Options
Data passed as the label of select options may not be escaped before
being passed to the browser.
* Versions Affected: 1.10.0, 1.11.0, 1.11.1, 1.12.0 beta
* Not affected: Versions prior to 1.10.0
* Fixed Versions: 1.10.1, 1.11.2
Impact
-------
In general, Ember.js escapes or strips any user-supplied content before
inserting it in strings that will be sent to innerHTML. However, a
change made to the implementation of the select view means that any
user-supplied data bound to an option's label will not be escaped
correctly.
In applications that use Ember's select view and pass user-supplied
content to the label, a specially-crafted payload could execute
arbitrary JavaScript in the context of the current domain ("XSS").
All users running an affected release and binding user-supplied data to
the select options should either upgrade or use one of the workarounds
immediately.
Releases
--------
Releases are available on
emberjs.com/builds/#/tagged
Workarounds
-----------
Ensure that you escape any user-supplied value that you bind to an
option label. For example, if you bind a label:
{{view 'select' content=people optionLabelPath='
content.name'}}
Ensure that you escape the `name` value of each item `people` using
Ember.Handlebars.Utils.escapeExpression:
var people = this.get('people');
var peopleForSelect = people.map(function(person){
var newPerson = Object.create(person);
newPerson.name = Ember.Handlebars.escapeExpression(
person.name);
return newPerson;
});
this.set('peopleForSelect', peopleForSelect);
Credits
-------
This vulnerability was reported to us by Phillip Haines of Zestia. Many
thanks for working with us on identifying the issue and on the advisory
process.
Best,
-Matthew (Ember.js Core Team member)
http://madhatted.com :: @mixonic