CVE-2011-4319: Translate helper method which may allow an attacker to insert arbitrary code into a page

November 28, 2011 (updated August 8, 2019)

The helper method for i18n translations has a convention whereby translations strings with a name ending in ‘html’ are considered HTML safe. There is also a mechanism for interpolation. It has been discovered that these ‘html’ strings allow arbitrary values to be contained in the interpolated input, and these values are not escaped.

References

github.com/rails/rails/commit/ba2d85012088fd0db0fab98b2e512c77c83cbade
github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/OSVDB-77199.yml
groups.google.com/forum/

Code Behaviors & Features

Detect and mitigate CVE-2011-4319 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →