GHSA-g7xq-xv8c-h98c (phlex): Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `` tags

Ruby Security Advisory

### Summary
There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data.

Our filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `` tag could be bypassed with tab `t` or newline `n` characters between the characters of the protocol, e.g. `javatscript:`.

### Impact

If you render an `` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user.

“`ruby
a(href: user_profile) { “Profile” }
“`

### Mitigation

The best way to mitigate this vulnerability is to update to one of the following versions:

– [1.10.1](https://rubygems.org/gems/phlex/versions/1.10.1)
– [1.9.2](https://rubygems.org/gems/phlex/versions/1.9.2)
– [1.8.3](https://rubygems.org/gems/phlex/versions/1.8.3)
– [1.7.2](https://rubygems.org/gems/phlex/versions/1.7.2)
– [1.6.3](https://rubygems.org/gems/phlex/versions/1.6.3)
– [1.5.3](https://rubygems.org/gems/phlex/versions/1.5.3)
– [1.4.2](https://rubygems.org/gems/phlex/versions/1.4.2)

### Workarounds
Configuring a [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) that does not allow [`unsafe-inline`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline) would effectively prevent this vulnerability from being exploited.

READ MORE

Leave a Reply

Your email address will not be published. Required fields are marked *