XSS Vulnerability in simple_format helper
There is a vulnerability in the simple_format helper in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2013-6416.
Versions Affected: 4.0.0 & 4.0.1
Not affected: Versions prior to 4.0
Fixed Versions: 4.0.2
The simple_format helper converts user supplied text into html text which is intended to be safe for display. A change made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly. As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack.
All users running an affected release and passing user-controlled html attributes to simple_format should either upgrade or use one of the work arounds immediately.
The 4.0.2 release is available at the normal locations.
To work around this issue, take care to escape any user provided data before passing it to simple_format. For example, instead of:
simple_format(some_text, class: params[:class])
You should use
simple_format(some_text, class: h(params[:class]))
To aid users who aren't able to upgrade immediately we have provided a patch for the 4.0 release series. It is in git-am format and consists of a single changeset.
* 4-0-simple_format_xss.patch - Patch for 4.0 series
Please note that only the 4.0.x and 3.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Thanks to Kevin Reintjes for reporting the vulnerability to us and helping us work on a fix.