Blakewilliams

**Name of the Vulnerable Software and Affected Versions** view component versions prior to 3.9.0 and 2.83.0 **Description** The view component framework for Ruby on Rails has a cross-site scripting issue that can impact anyone rendering a component directly from a controller with the view component gem. This issue affects components that define a `#call` method, where the return value of the `#call` method is not sanitized and can include user-defined content. Additionally, the return value of the `#output postamble` method is not sanitized, leading to potential cross-site scripting issues. **Recommendations** For versions prior to 3.9.0 and 2.83.0, sanitize the return value of `#call` as a workaround, for example by using `html escape` in the `#call` method. Upgrade to version 3.9.0 or 2.83.0 to fully mitigate both the `#call` and the `#output postamble` vulnerabilities.