FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Rails 4 -- Possible XSS Vulnerability in Action View

Affected packages
3.0.0 < rubygem-actionview < 4.2.7.1

Details

VuXML ID 43f1c867-654a-11e6-8286-00248c0c745d
Discovery 2016-08-11
Entry 2016-08-18

Ruby Security team reports:

There is a possible XSS vulnerability in Action View. Text declared as "HTML safe" will not have quotes escaped when used as attribute values in tag helpers. This vulnerability has been assigned the CVE identifier CVE-2016-6316.

References

CVE Name CVE-2016-6316
URL https://groups.google.com/forum/#!topic/ruby-security-ann/8B2iV2tPRSE