Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneSpeledingH1:755354
HistoryDec 10, 2019 - 6:00 p.m.

Ruby on Rails: Prevent XSS when passing a parameter directly into link_to

2019-12-1018:00:07
speleding
hackerone.com
17
JSON

Note: I would say this is perhaps more of a feature request than an actual vulnerability, but Rafael França deleted this from GitHub and asked to submit it here instead

In a rails views it’s easy to accidentally create an XSS vulnerability by using the following in a template:
<%= link_to 'Back', params[:back] %>

Doing this exposes the app to an attack that can easily be demonstrated by simply adding this to URL of that view:
?back=javascript%3Aalert%28boom%29%3B

I think it would be good if rails detects this situation and filters the link_to parameter if it’s from an untrusted source. The attached two-line patch does this by only allowing the HTTP(S) protocol in that case.

Impact

If a programmer inadvertently passes a parameter directly into link_to then this would leave his site open to an XSS attack. Since rails filters untrusted parameters in many other situations it may not be apparent to the casual observer that link_to does not filter javascript.

JSON