There is an XSS vulnerability in the ActiveSupport::JSON.encode method in Ruby on Rails. When a `Hash` containing user-controlled data is encode as JSON (either through `Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate escaping that matches the guarantee implied by the `escape_html_entities_in_json` option (which is enabled by default). If this resulting JSON string is subsequently inserted directly into an HTML page, the page will be vulnerable to XSS attacks. For example, the following code snippet is vulnerable to this attack: <%= javascript_tag "var data = #{user_supplied_data.to_json};" %> Similarly, the following is also vulnerable: <script> var data = <%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %>; </script> Workarounds ----------- To work around this problem add an initializer with the following code: module ActiveSupport module JSON module Encoding private class EscapedString def to_s self end end end end end Attached patches resolve this issue. Acknowledgements: Red Hat would like to thank Ruby upstream developers for reporting this issue. Upstream acknowledges Francois Chagnon of Shopify as the original reporter.
This is now public: http://seclists.org/oss-sec/2015/q2/732
Created attachment 1058043 [details] Patch for ActiveSupport 4.1
Created attachment 1058044 [details] Patch for ActiveSupport 4.2
Created rubygem-activesupport tracking bugs for this issue: Affects: fedora-all [bug 1249055] Affects: epel-all [bug 1249056]