Two fundamental issues allowing for XSS in Ruby on Rails (RoR) applications. As RoR is just a framework, these all depend on an application using the framework in a way that exposes these vulnerabilities.

There were two reported base issues that were present across multiple methods. The first set of issues is with the options argument to methods from FormTagHelper. In the options argument if an attacker is able to control a key in the option dictionary/hashmap passed to the data field, aria field, or passed in directly it would be possible to provide a malicious input that escapes any sanitization.

The second set of issues has the same issue with the options but for the generic tag and content_tag methods from TagHelper, but it also is vulnerable for the first argument, the tag name.

The original report is limited on details about why this happened but taking a look at the patch. It appears that it simply was only escaping the values but not the keys. So straight forward exploitation, but a bit surprising it wasn’t caught sooner.