Do not mark strip_tags result as html_safe

Thanks to Marek Labos & Nethemba CVE-2012-3465
author: Santiago Pastorino <santiago@wyeworks.com> 2012-08-08 14:33:39 -0700
committer: Santiago Pastorino <santiago@wyeworks.com> 2012-08-09 16:06:17 -0300
commit: e91e4e8bbee12ce1496bf384c04da6be296b687a (patch)
tree: 1ee0549ee6fe5d3c745d793bd9fc2407974e4975 /actionpack/CHANGELOG.md
parent: 6d0526db91afb0675c2ad3d871529d1536303c64 (diff)
download: rails-e91e4e8bbee12ce1496bf384c04da6be296b687a.tar.gz
rails-e91e4e8bbee12ce1496bf384c04da6be296b687a.tar.bz2
rails-e91e4e8bbee12ce1496bf384c04da6be296b687a.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 9c12e09392..aceef9ae27 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,5 +1,12 @@
 ## Rails 3.2.8 ##
 
+*   There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
+    helper doesn't correctly handle malformed html.  As a result an attacker can
+    execute arbitrary javascript through the use of specially crafted malformed
+    html.
+
+    *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
+
 *   When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped.
     If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
     Vulnerable code will look something like this:
author	Santiago Pastorino <santiago@wyeworks.com>	2012-08-08 14:33:39 -0700
committer	Santiago Pastorino <santiago@wyeworks.com>	2012-08-09 16:06:17 -0300
commit	e91e4e8bbee12ce1496bf384c04da6be296b687a (patch)
tree	1ee0549ee6fe5d3c745d793bd9fc2407974e4975 /actionpack/CHANGELOG.md
parent	6d0526db91afb0675c2ad3d871529d1536303c64 (diff)
download	rails-e91e4e8bbee12ce1496bf384c04da6be296b687a.tar.gz rails-e91e4e8bbee12ce1496bf384c04da6be296b687a.tar.bz2 rails-e91e4e8bbee12ce1496bf384c04da6be296b687a.zip