P8

**Name of the Vulnerable Software and Affected Versions** phlex versions 1.0.0 through 1.9.0 **Description** phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you render an `<a>` tag with an `href` attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. If you splat user-provided attributes when rendering any HTML tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user. **Recommendations** For versions 1.0.0 through 1.9.0, upgrade to a patched version available on RubyGems. As a temporary workaround, consider configuring a content security policy that does not allow `unsafe-inline`. Restrict access to user-provided attributes and links to minimize the risk of exploitation. Avoid using user-provided data in HTML tags until the issue is resolved.