• Versions affected: >= 2.0.0
• Not affected: < 2.0.0
• Fixed versions: 3.1.0, 3.0.3, 2.1.2

Impact

When Simple Form renders an error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the error message can be provided by the users, malicious values can be provided and Simple Form will mark them as safe.

Changes at the behavior

To fix this vulnerability error messages are now always escaped. If users need to mark them as safe they will need to use explicitly the :error option:

f.input :name, error: raw("My <b>error</b>")

Releases

The 3.1.0, 3.0.3 and 2.1.2 releases are available at the regular locations.

Workarounds

There are no feasible workarounds for this issue. We recommend all users to upgrade as soon as possible.

Patches

To aid users who aren’t able to upgrade immediately we have provided patches. They are in git-am format and consist of a single changeset.

• Patch for 3.0 series
• Patch for 2.1 series

Credits

Thanks to Jake Goulding, from WhiteHat Security and Nicholas Rutherford from Medify Ltd. for reporting the issue and working with us in a fix.

The post XSS vulnerability on Simple Form first appeared on Plataformatec Blog.

Simple Form:

And Devise:

We would like to congratulate our designer, Bruna Kochi, who was able to capture the essence of each project in their logos. We will write about their design process soon!

Those projects have been in the Rails community for almost 4 years and it was about time for them to have their own visual identity! We would like to thank all contributors and users who have helped those projects to be more robust, flexible and popular!

The post Take a look at Simple Form and Devise brand new logos first appeared on Plataformatec Blog.