There is a XSS vulnerability on Simple Form’s error options.
- Versions affected: >= 2.0.0
- Not affected: < 2.0.0
- Fixed versions: 3.1.0, 3.0.3, 2.1.2
When Simple Form renders an error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the error message can be provided by the users, malicious values can be provided and Simple Form will mark them as safe.
Changes at the behavior
To fix this vulnerability error messages are now always escaped. If users need to mark them as safe they will need to use explicitly the
f.input :name, error: raw("My <b>error</b>")
The 3.1.0, 3.0.3 and 2.1.2 releases are available at the regular locations.
There are no feasible workarounds for this issue. We recommend all users to upgrade as soon as possible.
To aid users who aren’t able to upgrade immediately we have provided patches. They are in git-am format and consist of a single changeset.
Thanks to Jake Goulding, from WhiteHat Security and Nicholas Rutherford from Medify Ltd. for reporting the issue and working with us in a fix.