Ruby on Rails DOM-Based Cross-Site Scripting Vulnerability in rails-ujs

A DOM-based cross-site scripting vulnerability has been identified in the rails-ujs library of Ruby on Rails. This issue affects versions 5.1.0 and higher, prior to 6.1.7.3 and 7.0.4.3. The vulnerability arises when a user pastes malicious HTML into a contenteditable element, targeting attributes such as data-method, data-remote, or data-disable-with. The exploitation leverages the Clipboard API to inject harmful scripts that could be executed in the context of the user's origin.

Impact

Exploitation allows for arbitrary JavaScript execution in the context of the affected origin, potentially leading to cross-site scripting consequences.

Reproduction

To reproduce this vulnerability, paste HTML content into a 'contenteditable' element that includes a 'data-method', 'data-remote', or 'data-disable-with' attribute. This can be done by creating a link or button with these attributes and then pasting it into the editable area.

Remediation

Users are advised to upgrade to Ruby on Rails versions 6.1.7.3 or 7.0.4.3. For those unable to upgrade immediately, a patch is available for the 6.1 series.