CVE-2011-2931

Name of the Vulnerable Software and Affected Versions Ruby on Rails versions prior to 2.3.13 Ruby on Rails versions 3.0.x prior to 3.0.10 Ruby on Rails versions 3.1.x prior to 3.1.0.rc5

Description A cross-site scripting (XSS) issue exists in the strip tags helper, allowing remote attackers to inject arbitrary web script or HTML via a tag with an invalid name. This can be achieved by exploiting the strip tags helper in actionpack/lib/action controller/vendor/html-scanner/html/node.rb.

Recommendations For Ruby on Rails versions prior to 2.3.13, update to version 2.3.13 or later. For Ruby on Rails versions 3.0.x prior to 3.0.10, update to version 3.0.10 or later. For Ruby on Rails versions 3.1.x prior to 3.1.0.rc5, update to version 3.1.0.rc5 or later. As a temporary workaround, consider restricting the use of the strip tags helper until a patch is available.