XSS vulnerability in rails-html-sanitizer
There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by Action View's `strip_tags`.
This vulnerability has been assigned the CVE identifier CVE-2015-7579.
Versions Affected: 1.0.2
Not affected: 1.0.0, 1.0.1
Fixed Versions: 1.0.3
### Impact
Due to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker
passes an already escaped HTML entity to the input of Action View's `strip_tags`
these entities will be unescaped what may cause a XSS attack if used in combination
with `raw` or `html_safe`.
For example:
```
strip_tags("<script>alert('XSS')</script>")
```
Would generate:
```
<script>alert('XSS')</script>
```
After the fix it will generate:
```
<script>alert('XSS')</script>
```
All users running an affected release should either upgrade or use one of the
workarounds immediately.
### Releases
The FIXED releases are available at the normal locations.
### Workarounds
If you can't upgrade, please use the following monkey patch in an initializer
that is loaded before your application:
```
$ cat config/initializers/strip_tags_fix.rb
class ActionView::Base
def strip_tags(html)
self.class.full_sanitizer.sanitize(html)
end
end
```
### 参考
* https://groups.google.com/forum/#!topic/rubyonrails-security/OU9ugTZcbjc
京公网安备 11010502034610号
暂无评论