Updated advisory posts against rubysec/ruby-advisory-db@d3c8772

postmodern · RubySec CI · commit 9543dd943370 · 2024-02-24T23:22:29.000Z
diff --git a/advisories/_posts/2024-02-21-CVE-2024-26143.md b/advisories/_posts/2024-02-21-CVE-2024-26143.md
@@ -12,24 +12,49 @@ advisory:
   url: https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947
   title: Possible XSS Vulnerability in Action Controller
   date: 2024-02-21
-  description: "There is a possible XSS vulnerability when using the translation helpers\n(`translate`,
-    `t`, etc) in Action Controller. This vulnerability has been\nassigned the CVE
-    identifier CVE-2024-26143.\n\nVersions Affected: All. Not affected: None Fixed
-    Versions: 7.1.3.1, 7.0.8.1\n\n# Impact\n\nApplications using translation methods
-    like `translate`, or `t` on a\ncontroller, with a key ending in “_html”, a `:default`
-    key which contains\nuntrusted user input, and the resulting string is used in
-    a view, may be\nsusceptible to an XSS vulnerability.\n\nFor example, impacted
-    code will look something like this:\n\n```\nclass ArticlesController < ApplicationController\n
-    \ def show  \n    @message = t(\"message_html\", default: untrusted_input)\n    #
-    The `show` template displays the contents of `@message`\n  end\nend\n```\n\nTo
-    reiterate the pre-conditions, applications must:\n\n* Use a translation function
-    from a controller (i.e. *not* `I18n.t`, or\n`t` from a view)\n* Use a key that
-    ends in `_html`\n* Use a default value where the default value is untrusted and
-    unescaped input\n* Send the text to the victim (whether that’s part of a template,
-    or a\n  `render` call)\n\nAll users running an affected release should either
-    upgrade or use one of the workarounds immediately.\n\n# Releases\n\nThe fixed
-    releases are available at the normal locations.\n\n# Workarounds\n\nThere are
-    no feasible workarounds for this issue.\n"
+  description: |
+    There is a possible XSS vulnerability when using the translation helpers
+    (`translate`, `t`, etc) in Action Controller. This vulnerability has been
+    assigned the CVE identifier CVE-2024-26143.
+
+    Versions Affected: All. Not affected: None Fixed Versions: 7.1.3.1, 7.0.8.1
+
+    # Impact
+
+    Applications using translation methods like `translate`, or `t` on a
+    controller, with a key ending in “_html”, a `:default` key which contains
+    untrusted user input, and the resulting string is used in a view, may be
+    susceptible to an XSS vulnerability.
+
+    For example, impacted code will look something like this:
+
+    ```
+    class ArticlesController < ApplicationController
+      def show
+        @message = t("message_html", default: untrusted_input)
+        # The `show` template displays the contents of `@message`
+      end
+    end
+    ```
+
+    To reiterate the pre-conditions, applications must:
+
+    * Use a translation function from a controller (i.e. *not* `I18n.t`, or
+    `t` from a view)
+    * Use a key that ends in `_html`
+    * Use a default value where the default value is untrusted and unescaped input
+    * Send the text to the victim (whether that’s part of a template, or a
+      `render` call)
+
+    All users running an affected release should either upgrade or use one of the workarounds immediately.
+
+    # Releases
+
+    The fixed releases are available at the normal locations.
+
+    # Workarounds
+
+    There are no feasible workarounds for this issue.
   patched_versions:
   - "~> 7.0.8, >= 7.0.8.1"
   - ">= 7.1.3.1"
