There is an XSS vulnerability in the ActiveSupport::JSON.encode method in Ruby on Rails.
When a `Hash` containing user-controlled data is encode as JSON (either through
`Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate
escaping that matches the guarantee implied by the `escape_html_entities_in_json`
option (which is enabled by default). If this resulting JSON string is subsequently
inserted directly into an HTML page, the page will be vulnerable to XSS attacks.
For example, the following code snippet is vulnerable to this attack:
Similarly, the following is also vulnerable:
var data = <%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %>;
To work around this problem add an initializer with the following code:
Attached patches resolve this issue.
Red Hat would like to thank Ruby upstream developers for reporting this issue. Upstream acknowledges Francois Chagnon of Shopify as the original reporter.
This is now public:
Created attachment 1058043 [details]
Patch for ActiveSupport 4.1
Created attachment 1058044 [details]
Patch for ActiveSupport 4.2
Created rubygem-activesupport tracking bugs for this issue:
Affects: fedora-all [bug 1249055]
Affects: epel-all [bug 1249056]