[CVE-2015-7579] XSS vulnerability in rails-html-sanitizer

3,201 views
Skip to first unread message

Aaron Patterson

unread,
Jan 25, 2016, 2:35:51 PM1/25/16
to secu...@suse.de, rubyonrail...@googlegroups.com, oss-se...@lists.openwall.com, ruby-sec...@googlegroups.com
XSS vulnerability in rails-html-sanitizer

There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by Action View's `strip_tags`.
This vulnerability has been assigned the CVE identifier CVE-2015-7579.

Versions Affected: 1.0.2
Not affected: 1.0.0, 1.0.1
Fixed Versions: 1.0.3

Impact
------
Due to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker
passes an already escaped HTML entity to the input of Action View's `strip_tags`
these entities will be unescaped what may cause a XSS attack if used in combination
with `raw` or `html_safe`.

For example:

strip_tags("<script>alert('XSS')</script>")

Would generate:

<script>alert('XSS')</script>

After the fix it will generate:

&lt;script&gt;alert('XSS')&lt;/script&gt;

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
If you can't upgrade, please use the following monkey patch in an initializer
that is loaded before your application:

```
$ cat config/initializers/strip_tags_fix.rb
class ActionView::Base
def strip_tags(html)
self.class.full_sanitizer.sanitize(html)
end
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches
for the two supported release series. They are in git-am format and consist
of a single changeset.

* Do-not-unescape-already-escaped-HTML-entities.patch

Credits
-------
Thank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for
reporting the problem and working with us to fix it.

--
Aaron Patterson
http://tenderlovemaking.com/
Do-not-unescape-already-escaped-HTML-entities.patch
Reply all
Reply to author
Forward
0 new messages