[CVE-2022-27777] Possible XSS Vulnerability in Action View tag helpers
Aaron Patterson
There is a possible XSS vulnerability in Action View tag helpers. Passing
untrusted input as hash keys can lead to a possible XSS vulnerability. This
vulnerability has been assigned the CVE identifier CVE-2022-27777.
Versions Affected: ALL
Not affected: NONE
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1
Impact
------
If untrusted data is passed as the hash key for tag attributes, there is a
possibility that the untrusted data may not be properly escaped which can
lead to an XSS vulnerability.
Impacted code will look something like this:
```
check_box_tag('thename', 'thevalue', false, aria: { malicious_input => 'thevalueofaria' })
```
Where the "malicious_input" variable contains untrusted data.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
--------
The FIXED releases are available at the normal locations.
Workarounds
-----------
Escape the untrusted data before using it as a key for tag helper methods.
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 5-2-tag-helper-xss.patch - Patch for 5.2 series
* 6-0-tag-helper-xss.patch - Patch for 6.0 series
* 6-1-tag-helper-xss.patch - Patch for 6.1 series
* 7-0-tag-helper-xss.patch - Patch for 7.0 series
Credits
-------
Thank you to [Álvaro Martín Fraguas](https://hackerone.com/amartinfraguas) for
reporting the issue and providing patches!