Sascha Depold

**Name of the Vulnerable Software and Affected Versions** Ruby on Rails versions prior to 2.3.13 Ruby on Rails versions 3.0.x prior to 3.0.10 Ruby on Rails versions 3.1.x prior to 3.1.0.rc5 **Description** A cross-site scripting (XSS) issue exists in the `strip tags` helper, allowing remote attackers to inject arbitrary web script or HTML via a tag with an invalid name. This can be achieved by exploiting the `strip tags` helper in `actionpack/lib/action controller/vendor/html-scanner/html/node.rb`. **Recommendations** For Ruby on Rails versions prior to 2.3.13, update to version 2.3.13 or later. For Ruby on Rails versions 3.0.x prior to 3.0.10, update to version 3.0.10 or later. For Ruby on Rails versions 3.1.x prior to 3.1.0.rc5, update to version 3.1.0.rc5 or later. As a temporary workaround, consider restricting the use of the `strip tags` helper until a patch is available.