Joeldrapper

**Name of the Vulnerable Software and Affected Versions** Phlex versions prior to the patched versions available on RubyGems **Description** The issue is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This occurs because the escapes were working as designed but did not account for how permissive browsers are when executing unsafe JavaScript via HTML attributes. If a user-provided link is used in an `<a>` tag's `href` attribute, it could execute JavaScript when clicked. Similarly, if user-provided attributes are used when rendering HTML or SVG tags, malicious event attributes could be included, executing JavaScript when events are triggered. The project now exercises every possible attack vector, including enumerating every ASCII character, and runs tests in Chrome, Firefox, and Safari. Additionally, tests are conducted against a list of 6613 known XSS payloads. **Recommendations** For all affected versions of Phlex, users are advised to upgrade to a patched version available on RubyGems. As a temporary workaround for users unable to upgrade, configure a Content Security Policy that does not allow `unsafe-inline` to prevent exploitation. For users who upgrade, it is also recommended to configure a Content Security Policy header that does not allow `unsafe-inline`.