Low severityNVD Advisory· Published Feb 27, 2014· Updated Apr 29, 2026

CVE-2014-0046

Description

Cross-site scripting (XSS) vulnerability in the link-to helper in Ember.js 1.2.x before 1.2.2, 1.3.x before 1.3.2, and 1.4.x before 1.4.0-beta.6, when used in non-block form, allows remote attackers to inject arbitrary web script or HTML via the title attribute.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ember-sourceRubyGems	>= 1.2.0, < 1.2.2	1.2.2
ember-sourceRubyGems	>= 1.3.0, < 1.3.2	1.3.2
ember-sourceRubyGems	>= 1.4.0.beta.1, < 1.4.0.beta.6	1.4.0.beta.6

Affected products

Emberjs/Ember.js5 versions
cpe:2.3:a:emberjs:ember.js:1.2.0:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:emberjs:ember.js:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:emberjs:ember.js:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:emberjs:ember.js:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:emberjs:ember.js:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:emberjs:ember.js:1.4.0:beta:*:*:*:*:*:*

Patches

ab3199e68e1d

[SECURITY CVE-2014-0046] Ensure link-to non-block escapes title.

https://github.com/emberjs/ember.jsRobert JacksonFeb 5, 2014via ghsa

commit

2 files changed · +32 −1

packages/ember-routing/lib/helpers/link_to.js+10 −1 modified

@@ -732,7 +732,16 @@ Ember.onLoad('Ember.Handlebars', function(Handlebars) {
         if (linkType === 'ID') {
           options.linkTextPath = linkTitle;
           options.fn = function() {
-            return Ember.Handlebars.get(context, linkTitle, options);
+            var result = Ember.Handlebars.get(context, linkTitle, options);
+            if (result === null || result === undefined) {
+              result = "";
+            } else if (!(result instanceof Handlebars.SafeString)) {
+              result = String(result);
+            }
+            if (!options.hash.unescaped){
+              result = Handlebars.Utils.escapeExpression(result);
+            }
+            return result;
           };
         } else {
           options.fn = function() {

packages/ember/tests/helpers/link_to_test.js+22 −0 modified

@@ -1140,3 +1140,25 @@ if (Ember.FEATURES.isEnabled('link-to-non-block')) {
     assertEquality('/about');
   });
 }
+
+test("The non-block form {{link-to}} protects against XSS", function() {
+  Ember.TEMPLATES.application = Ember.Handlebars.compile("{{link-to display 'index' id='link'}}");
+
+  App.ApplicationController = Ember.Controller.extend({
+    display: 'blahzorz'
+  });
+
+  bootApplication();
+
+  Ember.run(router, 'handleURL', '/');
+
+  var controller = container.lookup('controller:application');
+
+  equal(Ember.$('#link', '#qunit-fixture').text(), 'blahzorz');
+  Ember.run(function() {
+    controller.set('display', '<b>BLAMMO</b>');
+  });
+
+  equal(Ember.$('#link', '#qunit-fixture').text(), '<b>BLAMMO</b>');
+  equal(Ember.$('b', '#qunit-fixture').length, 0);
+});

94b28b8773ac

[SECURITY CVE-2014-0046] Ensure link-to non-block escapes title.

https://github.com/emberjs/ember.jsRobert JacksonFeb 5, 2014via ghsa

commit

2 files changed · +32 −1

packages/ember-routing/lib/helpers/link_to.js+10 −1 modified

@@ -753,7 +753,16 @@ Ember.onLoad('Ember.Handlebars', function(Handlebars) {
       if (linkType === 'ID') {
         options.linkTextPath = linkTitle;
         options.fn = function() {
-          return Ember.Handlebars.get(context, linkTitle, options);
+          var result = Ember.Handlebars.get(context, linkTitle, options);
+          if (result === null || result === undefined) {
+            result = "";
+          } else if (!(result instanceof Handlebars.SafeString)) {
+            result = String(result);
+          }
+          if (!options.hash.unescaped){
+            result = Handlebars.Utils.escapeExpression(result);
+          }
+          return result;
         };
       } else {
         options.fn = function() {

packages/ember/tests/helpers/link_to_test.js+22 −0 modified

@@ -1154,6 +1154,28 @@ test("The non-block form {{link-to}} performs property lookup", function() {
   assertEquality('/about');
 });
 
+test("The non-block form {{link-to}} protects against XSS", function() {
+  Ember.TEMPLATES.application = Ember.Handlebars.compile("{{link-to display 'index' id='link'}}");
+
+  App.ApplicationController = Ember.Controller.extend({
+    display: 'blahzorz'
+  });
+
+  bootApplication();
+
+  Ember.run(router, 'handleURL', '/');
+
+  var controller = container.lookup('controller:application');
+
+  equal(Ember.$('#link', '#qunit-fixture').text(), 'blahzorz');
+  Ember.run(function() {
+    controller.set('display', '<b>BLAMMO</b>');
+  });
+
+  equal(Ember.$('#link', '#qunit-fixture').text(), '<b>BLAMMO</b>');
+  equal(Ember.$('b', '#qunit-fixture').length, 0);
+});
+
 test("the {{link-to}} helper calls preventDefault", function(){
   Router.map(function() {
     this.route("about");

45ee8df2a0ef

[SECURITY CVE-2014-0046] Ensure link-to non-block escapes title.

https://github.com/emberjs/ember.jsRobert JacksonFeb 5, 2014via ghsa

commit

2 files changed · +32 −1

packages/ember-routing/lib/helpers/link_to.js+10 −1 modified

@@ -787,7 +787,16 @@ Ember.onLoad('Ember.Handlebars', function(Handlebars) {
       if (linkType === 'ID') {
         options.linkTextPath = linkTitle;
         options.fn = function() {
-          return Ember.Handlebars.get(context, linkTitle, options);
+          var result = Ember.Handlebars.get(context, linkTitle, options);
+          if (result === null || result === undefined) {
+            result = "";
+          } else if (!(result instanceof Handlebars.SafeString)) {
+            result = String(result);
+          }
+          if (!options.hash.unescaped){
+            result = Handlebars.Utils.escapeExpression(result);
+          }
+          return result;
         };
       } else {
         options.fn = function() {

packages/ember/tests/helpers/link_to_test.js+22 −0 modified

@@ -922,6 +922,28 @@ test("The non-block form {{link-to}} performs property lookup", function() {
   assertEquality('/about');
 });
 
+test("The non-block form {{link-to}} protects against XSS", function() {
+  Ember.TEMPLATES.application = Ember.Handlebars.compile("{{link-to display 'index' id='link'}}");
+
+  App.ApplicationController = Ember.Controller.extend({
+    display: 'blahzorz'
+  });
+
+  bootApplication();
+
+  Ember.run(router, 'handleURL', '/');
+
+  var controller = container.lookup('controller:application');
+
+  equal(Ember.$('#link', '#qunit-fixture').text(), 'blahzorz');
+  Ember.run(function() {
+    controller.set('display', '<b>BLAMMO</b>');
+  });
+
+  equal(Ember.$('#link', '#qunit-fixture').text(), '<b>BLAMMO</b>');
+  equal(Ember.$('b', '#qunit-fixture').length, 0);
+});
+
 test("the {{link-to}} helper calls preventDefault", function(){
   Router.map(function() {
     this.route("about");

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

emberjs.com/blog/2014/02/07/ember-security-releases.htmlnvdVendor AdvisoryWEB
secunia.com/advisories/56965nvdVendor AdvisoryWEB
github.com/advisories/GHSA-4q53-fqhc-cr46ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2014-0046ghsaADVISORY
www.openwall.com/lists/oss-security/2014/02/14/6nvdWEB
www.securityfocus.com/bid/65579nvdWEB
exchange.xforce.ibmcloud.com/vulnerabilities/91242nvdWEB
github.com/emberjs/ember.js/commit/45ee8df2a0efc0afe233d6b9b17045782a2e6b2dghsaWEB
github.com/emberjs/ember.js/commit/94b28b8773acf894c4d7d7fccf4411a706292436ghsaWEB
github.com/emberjs/ember.js/commit/ab3199e68e1d0fc3c8f7f453cd38c51fe02af90bghsaWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/ember-source/CVE-2014-0046.ymlghsaWEB
groups.google.com/forum/ghsaWEB
groups.google.com/forum/nvd

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000