Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 3 Dec 2013 11:10:37 -0800
From: Aaron Patterson <>
Subject: [CVE-2013-6416] XSS Vulnerability in simple_format helper

XSS Vulnerability in simple_format helper 

There is a vulnerability in the simple_format helper in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2013-6416.

Versions Affected:  4.0.0 & 4.0.1
Not affected:       Versions prior to 4.0
Fixed Versions:     4.0.2

The simple_format helper converts user supplied text into html text which is intended to be safe for display.  A change  made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly.  As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack.

All users running an affected release and passing user-controlled html attributes to simple_format should either upgrade or use one of the work arounds immediately. 

The 4.0.2 release is available at the normal locations. 

To work around this issue, take care to escape any user provided data before passing it to simple_format.  For example, instead of:

  simple_format(some_text, class: params[:class])

You should use

  simple_format(some_text, class: h(params[:class]))

To aid users who aren't able to upgrade immediately we have provided a patch for the 4.0 release series.  It is in git-am format and consists of a single changeset. 

* 4-0-simple_format_xss.patch - Patch for 4.0 series 

Please note that only the 4.0.x and 3.2.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Thanks to Kevin Reintjes for reporting the vulnerability to us and helping us work on a fix.

Aaron Patterson

View attachment "4-0-simple_format_xss.patch" of type "text/plain" (1137 bytes)

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.