{"id":3658,"date":"2013-11-29T13:55:41","date_gmt":"2013-11-29T15:55:41","guid":{"rendered":"http:\/\/blog.plataformatec.com.br\/?p=3658"},"modified":"2013-11-29T13:55:41","modified_gmt":"2013-11-29T15:55:41","slug":"xss-vulnerability-on-simple-form","status":"publish","type":"post","link":"https:\/\/blog.plataformatec.com.br\/2013\/11\/xss-vulnerability-on-simple-form\/","title":{"rendered":"XSS vulnerability on Simple Form"},"content":{"rendered":"

There is a XSS vulnerability on Simple Form’s label, hint and error options.<\/p>\n

Versions affected: >= 1.1.1
\nNot affected: < 1.1.1
\nFixed versions: 3.0.1, 2.1.1<\/p>\n

Impact<\/h3>\n

When Simple Form creates a label, hint or error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the text of these helpers can be provided by the users, malicious values can be provided and Simple Form will mark it as safe.<\/p>\n

Releases<\/h3>\n

The 3.0.1 and 2.1.1 releases are available at the normal locations.<\/p>\n

Workarounds<\/h3>\n

If you are unable to upgrade, you can change your code to escape the input before sending to Simple Form<\/p>\n

\nf.input :name, label: html_escape(params[:label])\n<\/pre>\n

Patches<\/h3>\n

To aid users who aren’t able to upgrade immediately we have provided patches. They are in git-am format and consist of a single changeset.<\/p>\n