There is a XSS vulnerability on Simple Form’s label, hint and error options.
Versions affected: >= 1.1.1
Not affected: < 1.1.1
Fixed versions: 3.0.1, 2.1.1
When Simple Form creates a label, hint or error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the text of these helpers can be provided by the users, malicious values can be provided and Simple Form will mark it as safe.
The 3.0.1 and 2.1.1 releases are available at the normal locations.
If you are unable to upgrade, you can change your code to escape the input before sending to Simple Form
f.input :name, label: html_escape(params[:label])
To aid users who aren’t able to upgrade immediately we have provided patches. They are in git-am format and consist of a single changeset.
Thank you to Paul McMahon from Doorkeeper for reporting the issue and working with us in a fix.