Vulnerability allowed attacker to input malicious code in certain scenarios
A potential cross-site scripting (XSS) bug has been discovered in Action View, a popular Ruby Gem that handles web requests in the Rails web application framework.
The vulnerability is in Action View’s translation helpers, which attempts to translate user input.
When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped, an advisory explains.
This means that an attacker could input malicious code which would be disguised as legitimate.
Points of view
The bug was found by maintainer Jonathan Hefner, who told The Daily Swig there has been no evidence of the flaw being exploited in the wild.
Hefner, who discovered the issue when refactoring the translate helper for unrelated reasons, explained how the bug could be exploited.
“I would guess most real-world apps do not contain code that would be impacted,” he said.
“But a plausible example of vulnerable code is: <%= t(favorite_food_from_user, default: favorite_food_from_user) %>, wherein you make a best effort to translate some user input (eg their favorite food), but fall back to the original string if there is no translation.
“In such a case, the user could input <script>alert(‘pwned’);</script>_html, which would fail to be translated, but would still be marked as HTML-safe due to the _html suffix. Thus, it would be output as-is – unescaped.”
The XSS issue has been patched in Rails versions 18.104.22.168 and 22.214.171.124, as well as the project’s master, 6-0-stable and 5-2-stable branches on GitHub.
Action View’s maintainers have also offered a workaround for those who are unable to apply the patch.