Versions Affected: 3.0.0 and later, 2.3.X in combination with the
Not Affected: Pre-3.0.0 releases, without the rails_xss plugin,
did no automatic XSS escaping, so are not considered vulnerable
Fixed Versions: 3.0.11, 3.1.2
Ruby on Rails has a helper method for i18n translations. This function
has a convention whereby translations strings with a name ending in
'html' are considered HTML safe. There is also a mechanism for
interpolation. It has been discovered that these 'html' strings allow
arbitrary values to be contained in the interpolated input, and these
values are not escaped.
All users using the translate helper method with 'html safe'
translations which use variable interpolation should either upgrade or
use one of the workarounds immediately.
Escape all interpolated input manually. For example:
translate('some_html', :some => '<input>')
should be changed to:
translate('some_html', :some => h('<input>'))
To aid users who aren't able to upgrade immediately we have provided
patches for the two supported release series. They are in git-am format
and consist of a single changeset.
* 3-0-translate.patch - Patch for 3.0 series
* 3-1-translate.patch - Patch for 3.1 series
Thanks to Sergey Nartimov for finding the vulnerability and submitting
the initial patch.