You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `<a>` tags
6
+
date: 2024-04-16
7
+
description: |
8
+
### Summary
9
+
There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data.
10
+
11
+
Our filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `<a>` tag could be bypassed with tab `\t` or newline `\n` characters between the characters of the protocol, e.g. `java\tscript:`.
12
+
13
+
### Impact
14
+
15
+
If you render an `<a>` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user.
16
+
17
+
```ruby
18
+
a(href: user_profile) { "Profile" }
19
+
```
20
+
21
+
### Mitigation
22
+
23
+
The best way to mitigate this vulnerability is to update to one of the following versions:
Configuring a [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) that does not allow [`unsafe-inline`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#unsafe-inline) would effectively prevent this vulnerability from being exploited.
0 commit comments