CVE-2013-6416: XSS Vulnerability in simple_format helper

December 6, 2013 (updated August 8, 2019)

The simple_format helper converts user supplied text into html text which is intended to be safe for display. A change made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly. As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack.

References

seclists.org/oss-sec/2013/q4/404

Code Behaviors & Features

Detect and mitigate CVE-2013-6416 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →