CVE-2014-0046: XSS Vulnerability With {{link-to}} Helper in Non-block Form

February 27, 2014 (updated August 13, 2018)

In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, a change made to the implementation of the {{link-to}} helper means that any user-supplied data bound to the {{link-to}} helper’s title attribute will not be escaped correctly. In applications that use the {{link-to}} helper in non-block form and bind the title attribute to user-supplied content, a specially-crafted payload could execute arbitrary JavaScript in the context of the current domain (“XSS”).

References

github.com/emberjs/ember.js/commit/83baab02bdff34542c468323816c344721d40c33
groups.google.com/forum/

Code Behaviors & Features

Detect and mitigate CVE-2014-0046 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →