Ruby On Rails · Action View · CVE-2020-5267
**Name of the Vulnerable Software and Affected Versions**
ActionView versions prior to 6.0.2.2 and 5.2.4.2
**Description**
There is a possible cross-site scripting (XSS) vulnerability in ActionView's JavaScript literal escape helpers. Views that use the `j` or `escape javascript` methods may be susceptible to XSS attacks. The issue is related to insufficient protection measures for web page structures. Exploitation of the vulnerability may allow a remote attacker to impact data integrity.
**Recommendations**
For versions prior to 6.0.2.2 and 5.2.4.2, update to version 6.0.2.2 or 5.2.4.2 to resolve the issue.
As a temporary workaround, consider applying the provided monkey patch to the JavaScriptHelper module.
Restrict the use of the `j` and `escape javascript` methods in views until the issue is resolved.
For those who cannot upgrade immediately, apply the provided patches for the 5.2 and 6.0 series.