Jonathanhefner

**Name of the Vulnerable Software and Affected Versions** Ruby on Rails versions prior to 5.2.4.4 and 6.0.3.3 **Description** The issue is related to a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named `html` or ending in ` html`, the default string is incorrectly marked as HTML-safe and not escaped. **Recommendations** For versions prior to 5.2.4.4, update to version 5.2.4.4 or later. For versions prior to 6.0.3.3, update to version 6.0.3.3 or later. As a temporary workaround, consider manually escaping default translations with the `html escape` helper (aliased as `h`) to avoid this issue. For example: `<%= t("welcome html", default: h(untrusted user controlled string)) %>`