|
| 1 | +--- |
| 2 | +gem: phlex |
| 3 | +ghsa: w67g-2h6v-vjgq |
| 4 | +url: https://github.com/yippee-fun/phlex/security/advisories/GHSA-w67g-2h6v-vjgq |
| 5 | +title: Phlex XSS protection bypass via attribute splatting, |
| 6 | + dynamic tags, and href values |
| 7 | +date: 2026-02-06 |
| 8 | +description: | |
| 9 | + ### Impact |
| 10 | +
|
| 11 | + During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, |
| 12 | + we identified three specific ways to bypass the XSS (cross-site-scripting) |
| 13 | + protection built into Phlex. |
| 14 | +
|
| 15 | + 1. The first bypass could happen if user-provided attributes with |
| 16 | + string keys were splatted into HTML tag, e.g. `div(**user_attributes)`. |
| 17 | +
|
| 18 | + 2. The second bypass could happen if user-provided tag names were |
| 19 | + passed to the `tag` method, e.g. `tag(some_tag_name_from_user)`. |
| 20 | +
|
| 21 | + 3. The third bypass could happen if user’s links were passed to |
| 22 | + `href` attributes, e.g. `a(href: user_provided_link)`. |
| 23 | +
|
| 24 | + All three of these patterns are meant to be safe and all |
| 25 | + have now been patched. |
| 26 | +
|
| 27 | + ### Patches |
| 28 | +
|
| 29 | + Phlex has patched all three issues and introduced new tests that |
| 30 | + run against Safari, Firefox and Chrome. |
| 31 | +
|
| 32 | + The patched versions are: |
| 33 | +
|
| 34 | + - [2.4.1](https://rubygems.org/gems/phlex/versions/2.4.1) |
| 35 | + - [2.3.2](https://rubygems.org/gems/phlex/versions/2.3.2) |
| 36 | + - [2.2.2](https://rubygems.org/gems/phlex/versions/2.2.2) |
| 37 | + - [2.1.3](https://rubygems.org/gems/phlex/versions/2.1.3) |
| 38 | + - [2.0.2](https://rubygems.org/gems/phlex/versions/2.0.3) |
| 39 | + - [1.11.1](https://rubygems.org/gems/phlex/versions/1.11.1) |
| 40 | +
|
| 41 | + Phlex has also patched the [`main`](https://github.com/yippee-fun/phlex) |
| 42 | + branch in GitHub. |
| 43 | +
|
| 44 | + ### Workarounds |
| 45 | + If a project uses a secure CSP (content security policy) or if the |
| 46 | + application doesn’t use any of the above patterns, it is not at risk. |
| 47 | +cvss_v3: 7.1 |
| 48 | +patched_versions: |
| 49 | + - "~> 1.11.1" |
| 50 | + - "~> 2.0.2" |
| 51 | + - "~> 2.1.3" |
| 52 | + - "~> 2.2.2" |
| 53 | + - "~> 2.3.2" |
| 54 | + - ">= 2.4.1" |
| 55 | +related: |
| 56 | + url: |
| 57 | + - https://github.com/yippee-fun/phlex/security/advisories/GHSA-w67g-2h6v-vjgq |
| 58 | + - https://github.com/yippee-fun/phlex/commit/1d85da417cb15eb8cb2f54a68d531c9b35d9d03a |
| 59 | + - https://github.com/yippee-fun/phlex/commit/556441d5a64ff93f749e8116a05b2d97264468ee |
| 60 | + - https://github.com/yippee-fun/phlex/commit/74e3d8610ffabc2cf5f241945e9df4b14dceb97d |
| 61 | + - https://github.com/yippee-fun/phlex/commit/9f56ad13bea9a7d6117fdfd510446c890709eeac |
| 62 | + - https://github.com/yippee-fun/phlex/commit/fe9ea708672f9fa42526d9b47e1cdc4634860ef1 |
| 63 | + - https://github.com/advisories/GHSA-w67g-2h6v-vjgq |
0 commit comments