XSS vulnerability on Simple Form

There is a XSS vulnerability on Simple Form’s error options.

  • Versions affected: >= 2.0.0
  • Not affected: < 2.0.0
  • Fixed versions: 3.1.0, 3.0.3, 2.1.2

Impact

When Simple Form renders an error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the error message can be provided by the users, malicious values can be provided and Simple Form will mark them as safe.

Changes at the behavior

To fix this vulnerability error messages are now always escaped. If users need to mark them as safe they will need to use explicitly the :error option:

f.input :name, error: raw("My <b>error</b>")

Releases

The 3.1.0, 3.0.3 and 2.1.2 releases are available at the regular locations.

Workarounds

There are no feasible workarounds for this issue. We recommend all users to upgrade as soon as possible.

Patches

To aid users who aren’t able to upgrade immediately we have provided patches. They are in git-am format and consist of a single changeset.

Credits

Thanks to Jake Goulding, from WhiteHat Security and Nicholas Rutherford from Medify Ltd. for reporting the issue and working with us in a fix.

Subscribe to our blog

Comments are closed.