| summary |
Rails has possible XSS Vulnerability in Action Controller
# Possible XSS Vulnerability in Action Controller
There is a possible XSS vulnerability when using the translation helpers
(`translate`, `t`, etc) in Action Controller. This vulnerability has been
assigned the CVE identifier CVE-2024-26143.
Versions Affected: >= 7.0.0.
Not affected: < 7.0.0
Fixed Versions: 7.1.3.1, 7.0.8.1
Impact
------
Applications using translation methods like `translate`, or `t` on a
controller, with a key ending in "_html", a `:default` key which contains
untrusted user input, and the resulting string is used in a view, may be
susceptible to an XSS vulnerability.
For example, impacted code will look something like this:
```ruby
class ArticlesController < ApplicationController
def show
@message = t("message_html", default: untrusted_input)
# The `show` template displays the contents of `@message`
end
end
```
To reiterate the pre-conditions, applications must:
* Use a translation function from a controller (i.e. _not_ I18n.t, or `t` from
a view)
* Use a key that ends in `_html`
* Use a default value where the default value is untrusted and unescaped input
* Send the text to the victim (whether that's part of a template, or a
`render` call)
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
--------
The fixed releases are available at the normal locations.
Workarounds
-----------
There are no feasible workarounds for this issue.
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 7-0-translate-xss.patch - Patch for 7.0 series
* 7-1-translate-xss.patch - Patch for 7.1 series
Credits
-------
Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the patch and fix! |