Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross-site Scripting (XSS) Through Unescaped JSON String in petems/tugboat (master) #270

Closed
petems opened this issue Jul 3, 2017 · 0 comments
Closed

Cross-site Scripting (XSS) Through Unescaped JSON String in petems/tugboat (master) #270

petems opened this issue Jul 3, 2017 · 0 comments

Comments

@petems
Copy link
Owner

petems commented Jul 3, 2017

Cross-site Scripting (XSS) Through Unescaped JSON String in petems/tugboat (master)

Issue Details

  • Vulnerability: Cross-site Scripting (XSS) Through Unescaped JSON String
  • Severity: Medium
  • Project: petems/tugboat
  • Branch: master
  • Scan Date: Jul 3, 2017 12:01:10

Issue Decription

There is an XSS vulnerability in the ActiveSupport::JSON.encode method in in json/encoding.rb for Ruby on Rails. When a 'Hash' containing user-controlled data is encoded as JSON (either through 'Hash#to_json' or 'ActiveSupport::JSON.encode'), Rails does not perform adequate escaping that matches the guarantee implied by the 'escape_html_entities_in_json' option (which is enabled by default). If this resulting JSON string is subsequently inserted directly into an HTML page, the page will be vulnerable to XSS attacks.

View more details
petems added a commit that referenced this issue Jul 3, 2017
@petems
Update activesupport
76f8d57 
Closes #270
@petems petems mentioned this issue Jul 3, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@petems