<html xmlns="http://www.w3.org/1999/xhtml" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office"><head><!--[if gte mso 9]><xml><o:OfficeDocumentSettings><o:AllowPNG/><o:PixelsPerInch>96</o:PixelsPerInch></o:OfficeDocumentSettings></xml><![endif]--></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yiv8841879420"><div id="yui_3_16_0_ym19_1_1465421927814_3372"><div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;" id="yui_3_16_0_ym19_1_1465421927814_3371"><div style="margin:15pt 0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3363"><span style="font-size:13.5pt;color:#4D4D4D;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3364">The
following is a JavaScript security flaw:</span></div><div style="border-top:solid #E4E4E4 1.0pt;border-left:none;border-bottom:solid #E4E4E4 1.0pt;border-right:none;padding:0in 0in 0in 0in;background:#FAFAFA;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3366">
<div style="margin-bottom:0.0001pt;line-height:13.5pt;border:none;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3367"><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(51, 51, 51);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3368"><</span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(99, 163, 92);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3369">script</span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(51, 51, 51);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3370">></span></div>
<div style="margin-bottom:0.0001pt;line-height:13.5pt;border:none;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3372"><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(51, 51, 51);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3373"> </span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(167, 29, 93);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3374">var</span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(51, 51, 51);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3375"> str = </span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(223, 80, 0);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3376">"</span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(51, 51, 51);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3377"></</span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(99, 163, 92);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3378">script</span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(51, 51, 51);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3379">><</span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(99, 163, 92);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3380">script</span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(51, 51, 51);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3381">>alert(</span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(223, 80, 0);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3382">'Pwned'</span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(51, 51, 51);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3383">);</</span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(99, 163, 92);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3384">script</span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(51, 51, 51);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3385">>";</span></div>
<div style="margin-bottom:0.0001pt;line-height:13.5pt;border:none;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3387"><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(51, 51, 51);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3388"></</span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(99, 163, 92);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3389">script</span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(51, 51, 51);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3390">></span></div>
</div><div style="margin:15pt 0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3392"><span style="font-size:13.5pt;color:#4D4D4D;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3393">The
browser ignores the fact that the</span><span style="font-size:11.5pt;color:#4D4D4D;border:solid #E4E4E4 1.0pt;padding:0in;background:#FAFAFA;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3394"><script></span><span style="font-size:13.5pt;color:#4D4D4D;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3395"> tags are inside a
JavaScript String, invoking the </span><span style="font-size:11.5pt;color:#4D4D4D;border:solid #E4E4E4 1.0pt;padding:0in;background:#FAFAFA;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3396">alert()</span><span style="font-size:13.5pt;color:#4D4D4D;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3397">function.</span></div><div style="margin:15pt 0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3399"><span style="font-size:13.5pt;color:#4D4D4D;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3400">The
reason for this odd behavior is that the page gets rendered in various stages.
First the HTML is parsed, and a render tree created. Only then, is the
JavaScript actually executed. In the example above, the render tree see the </span><span style="font-size:11.5pt;color:#4D4D4D;border:solid #E4E4E4 1.0pt;padding:0in;background:#FAFAFA;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3401"><script></span><span style="font-size:13.5pt;color:#4D4D4D;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3402"> tags, and is oblivious
to the fact that they’re inside a string; it has no concept of JavaScript. It
strips these out, and evaluates the script nodes as usual with our injected
message.</span></div><div style="margin:15pt 0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3404"><span style="font-size:13.5pt;color:#4D4D4D;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3405">This
behavior would be little more than a curiosity, were it not for the common
pattern of injecting JSON into documents, say with ERB.</span></div><div style="border-top:solid #E4E4E4 1.0pt;border-left:none;border-bottom:solid #E4E4E4 1.0pt;border-right:none;padding:0in 0in 0in 0in;background:#FAFAFA;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3407">
<div style="margin-bottom:0.0001pt;line-height:13.5pt;border:none;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3408"><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(51, 51, 51);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3409"><</span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(99, 163, 92);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3410">script</span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(51, 51, 51);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3411">></span></div>
<div style="margin-bottom:0.0001pt;line-height:13.5pt;border:none;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3413"><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(51, 51, 51);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3414"> </span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(167, 29, 93);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3415">var</span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(51, 51, 51);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3416"> users = <%= @users.to_json.html_safe %>;</span></div>
<div style="margin-bottom:0.0001pt;line-height:13.5pt;border:none;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3418"><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(51, 51, 51);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3419"></</span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(99, 163, 92);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3420">script</span><span style="font-size:11.5pt;font-family:'Courier New';color:rgb(51, 51, 51);border:1pt none windowtext;padding:0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3421">></span></div>
</div><div style="margin:15pt 0in;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3423"><span style="font-size:13.5pt;color:#4D4D4D;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3424">If you
have the line above anywhere in your code, and </span><span style="font-size:11.5pt;color:#4D4D4D;border:solid #E4E4E4 1.0pt;padding:0in;background:#FAFAFA;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3425">@users</span><span style="font-size:13.5pt;color:#4D4D4D;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3426"> includes some user
submitted data, your application is vulnerable to a XSS attack.</span></div><div id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3162">
</div><div style="margin:15pt 0in;" dir="ltr" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3428"><b id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3429"><span style="font-size:13.5pt;color:#4D4D4D;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3430">[SM-D01-R01] </span></b><span style="font-size:13.5pt;color:#4D4D4D;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3431">If
you’re using Rails, thwart this vulnerability by setting</span><span style="font-size:11.5pt;color:#4D4D4D;border:solid #E4E4E4 1.0pt;padding:0in;background:#FAFAFA;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3432">ActiveSupport.escape_html_entities_in_json</span><span style="font-size:13.5pt;color:#4D4D4D;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3433"> to </span><span style="font-size:11.5pt;color:#4D4D4D;border:solid #E4E4E4 1.0pt;padding:0in;background:#FAFAFA;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3434">true</span><span style="font-size:13.5pt;color:#4D4D4D;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3435">. The default is</span><span style="font-size:11.5pt;color:#4D4D4D;border:solid #E4E4E4 1.0pt;padding:0in;background:#FAFAFA;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3436">false</span><span style="font-size:13.5pt;color:#4D4D4D;" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3437">.</span></div><div></div><div id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3161" dir="ltr"> <a href="https://blog.alexmaccaw.com/a-javascript-security-flaw" class="enhancr2_0b26a89e-521d-ff5c-b534-22437599d57c" id="yui_3_16_0_ym19_1_1465421927814_4028">A JavaScript Security Flaw • Alex MacCaw</a></div><div id="yui_3_16_0_ym19_1_1465421927814_4035"><br></div><div id="enhancr2_0b26a89e-521d-ff5c-b534-22437599d57c" class="yahoo-link-enhancr-card ymail-preserve-class ymail-preserve-style" style="max-width:400px;font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;" contenteditable="false" data-url="https://blog.alexmaccaw.com/a-javascript-security-flaw" data-type="yenhancr" data-category="article" data-embed-url="" data-size="medium" dir="ltr"> <a href="https://blog.alexmaccaw.com/a-javascript-security-flaw" style="text-decoration:none !important; color: #000 !important;" class="yahoo-enhancr-cardlink" target="_blank" rel="noreferrer" id="yui_3_16_0_ym19_1_1465421927814_4049"> <table class="card-wrapper yahoo-ignore-table" cellpadding="0" cellspacing="0" border="0" style="max-width:400px;" id="yui_3_16_0_ym19_1_1465421927814_4048"> <tbody id="yui_3_16_0_ym19_1_1465421927814_4047"><tr id="yui_3_16_0_ym19_1_1465421927814_4046"> <td width="400" id="yui_3_16_0_ym19_1_1465421927814_4045"> <table class="card yahoo-ignore-table" cellpadding="0" cellspacing="0" border="0" width="100%" style="max-width:400px;" id="yui_3_16_0_ym19_1_1465421927814_4044"> <tbody id="yui_3_16_0_ym19_1_1465421927814_4043"><tr id="yui_3_16_0_ym19_1_1465421927814_4042"> <td class="card-primary-image-cell" style="background:#000 url('https://s.yimg.com/vv//api/res/1.2/b8fvcLpu4mXSdGUe7Ofolw--/YXBwaWQ9bWFpbDtmaT1maWxsO2g9MjAwO3c9NDAw/https://d2l2xugcou6irs.cloudfront.net/svbtle_logo.png.cf.jpg') no-repeat center center;background-size:cover;height:200px;position:relative;" background="https://s.yimg.com/vv//api/res/1.2/b8fvcLpu4mXSdGUe7Ofolw--/YXBwaWQ9bWFpbDtmaT1maWxsO2g9MjAwO3c9NDAw/https://d2l2xugcou6irs.cloudfront.net/svbtle_logo.png.cf.jpg" bgcolor="#000000" valign="top" id="yui_3_16_0_ym19_1_1465421927814_4041"> <!--[if gte mso 9]><v:rect fill="true" stroke="false" style="width:400px;height:218px;position:absolute;top:0;left:0;"><v:fill type="frame" color="#000000" src="https://s.yimg.com/vv//api/res/1.2/b8fvcLpu4mXSdGUe7Ofolw--/YXBwaWQ9bWFpbDtmaT1maWxsO2g9MjAwO3c9NDAw/https://d2l2xugcou6irs.cloudfront.net/svbtle_logo.png.cf.jpg"/></v:rect><![endif]--> <table class="yahoo-ignore-table" cellpadding="0" cellspacing="0" border="0" valign="top" style="width:100%;" id="yui_3_16_0_ym19_1_1465421927814_4040"> <tbody id="yui_3_16_0_ym19_1_1465421927814_4039"><tr id="yui_3_16_0_ym19_1_1465421927814_4038"> <td style="background:transparent url('https://s.yimg.com/nq/storm/assets/enhancrV2/12/overlay-tile.png') repeat left top;height:200px;" background="https://s.yimg.com/nq/storm/assets/enhancrV2/12/overlay-tile.png" bgcolor="transparent" valign="top" id="yui_3_16_0_ym19_1_1465421927814_4037"> <!--[if gte mso 9]><v:rect fill="true" stroke="false" style="width:400px;height:218px;position:absolute;top:-18px;left:0;"><v:fill type="pattern" color="#000000" src="https://s.yimg.com/nq/storm/assets/enhancrV2/12/overlay-tile.png"/><v:textbox inset="0,0,20px,0"><![endif]--> <table class="yahoo-ignore-table" height="185" style="width:100%;height:185px;min-height:185px;" id="yui_3_16_0_ym19_1_1465421927814_4036"> <tbody id="yui_3_16_0_ym19_1_1465421927814_4067"><tr id="yui_3_16_0_ym19_1_1465421927814_4066"> <td class="card-richInfo2" style="text-align:left;text-align:left;padding:15px 0 0 15px;vertical-align:top;"> </td> <td class="card-actions" style="text-align:right;padding:15px 15px 0 0;vertical-align:top;" id="yui_3_16_0_ym19_1_1465421927814_4065"> <div class="card-share-container"></div> </td> </tr> </tbody></table> <!--[if gte mso 9]></v:textbox></v:rect><![endif]--> </td> </tr> </tbody></table> </td> </tr> <tr> <td> <table class="card-info yahoo-ignore-table" align="center" cellpadding="0" cellspacing="0" border="0" style="background:#fff;position:relative;z-index:2;width:95%;max-width:380px;border:1px solid #e0e4e9;border-bottom:3px solid #000000;margin-top:-40px;margin-left:auto;margin-right:auto;"> <tbody><tr> <td style="background-color:#ffffff;padding:16px 0 16px 12px;vertical-align:top;"> </td> <td style="vertical-align:middle;padding:16px 12px;width:99%;"> <h2 class="card-title" style="font-size: 16px; line-height:19px; margin:0 0 4px 0;font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;word-break:break-word;">A JavaScript Security Flaw • Alex MacCaw</h2> <div class="card-description" style="font-size:11px;line-height:15px;color:#999;word-break:break-word;">The following is a JavaScript security flaw: <script> var str =</div> </td> <td style="text-align:right;padding:16px 12px 16px 0;"> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </td> </tr> </tbody></table> </a></div><div><br></div><div class="yiv8841879420signature" id="yiv8841879420yui_3_16_0_ym19_1_1465421786123_3160">Nathalie Coupet </div></div></div></div></div></body></html>