Ruby on Rails Action View Tag Helper XSS Vulnerability

A vulnerability in the Action View component of Ruby on Rails has been identified, which could lead to cross-site scripting (XSS) attacks. This issue affects versions 8.1.2.1, 8.0.4.1, and 7.2.3.1. The vulnerability arises when a blank string is used as an HTML attribute name in Action View tag helpers. In such cases, the normal escaping of attributes is bypassed, resulting in malformed HTML. This malformed HTML can be exploited by crafting a specific attribute value that the browser misinterprets as a separate attribute name, potentially leading to XSS. Applications that permit users to specify custom HTML attributes are particularly vulnerable.

Impact

Exploitation of this vulnerability could result in cross-site scripting (XSS) attacks, allowing an attacker to inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, use an affected version of Ruby on Rails and create a view that utilizes Action View tag helpers. Include a custom HTML attribute with a blank string as the attribute name. The resulting HTML will be malformed, as the blank attribute name is not properly escaped. This can be verified by checking the rendered HTML output, which will incorrectly interpret the blank attribute name.

Remediation

Users can upgrade to Ruby on Rails versions 8.1.2.1, 8.0.4.1, or 7.2.3.1, where this vulnerability has been patched.