VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 27, 2024· Updated Feb 13, 2025

Rails Possible XSS Vulnerability in Action Controller

CVE-2024-26143

Description

Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in "_html", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
actionpackRubyGems
>= 7.0.0, < 7.0.8.17.0.8.1
actionpackRubyGems
>= 7.1.0, < 7.1.3.17.1.3.1
railsRubyGems
>= 7.0.0, < 7.0.8.17.0.8.1
railsRubyGems
>= 7.1.0, < 7.1.3.17.1.3.1

Affected products

1

Patches

2
4c83b331092a

fix XSS vulnerability when using translation

https://github.com/rails/railsooooooo_qJan 5, 2024via ghsa
commit
3 files changed · +58 1
  • actionpack/CHANGELOG.md+4 0 modified
    @@ -1,3 +1,7 @@
+*   Fix possible XSS vulnerability with the `translate` method in controllers
+
+    CVE-2024-26143
+
 ## Rails 7.0.8 (September 09, 2023) ##
 
 *   Fix `HostAuthorization` potentially displaying the value of the
  • actionpack/lib/abstract_controller/translation.rb+23 1 modified
    @@ -25,7 +25,25 @@ def translate(key, **options)
 
       i18n_raise = options.fetch(:raise, self.raise_on_missing_translations)
 
-      ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
+      if options[:default]
+        options[:default] = [options[:default]] unless options[:default].is_a?(Array)
+        options[:default] = options[:default].map do |value|
+          value.is_a?(String) ? ERB::Util.html_escape(value) : value
+        end
+      end
+
+      unless i18n_raise
+        options[:default] = [] unless options[:default]
+        options[:default] << MISSING_TRANSLATION
+      end
+
+      result = ActiveSupport::HtmlSafeTranslation.translate(key, **options, raise: i18n_raise)
+
+      if result == MISSING_TRANSLATION
+        +"translation missing: #{key}"
+      else
+        result
+      end
     end
     alias :t :translate
 
@@ -34,5 +52,9 @@ def localize(object, **options)
       I18n.localize(object, **options)
     end
     alias :l :localize
+
+    private
+      MISSING_TRANSLATION = -(2**60)
+      private_constant :MISSING_TRANSLATION
   end
 end
  • actionpack/test/abstract/translation_test.rb+31 0 modified
    @@ -93,6 +93,22 @@ def test_default_translation
         end
       end
 
+      def test_default_translation_as_safe_html
+        @controller.stub :action_name, :index do
+          translation = @controller.t(".twoz", default: ["<tag>"])
+          assert_equal "&lt;tag&gt;", translation
+          assert_equal true, translation.html_safe?
+        end
+      end
+
+      def test_default_translation_with_raise_as_safe_html
+        @controller.stub :action_name, :index do
+          translation = @controller.t(".twoz", raise: true, default: ["<tag>"])
+          assert_equal "&lt;tag&gt;", translation
+          assert_equal true, translation.html_safe?
+        end
+      end
+
       def test_localize
         time, expected = Time.gm(2000), "Sat, 01 Jan 2000 00:00:00 +0000"
         I18n.stub :localize, expected do
@@ -136,6 +152,21 @@ def test_translate_escapes_interpolations_in_translations_with_a_html_suffix
           assert_equal true, translation.html_safe?
         end
       end
+
+      def test_translate_marks_translation_with_missing_html_key_as_safe_html
+        @controller.stub :action_name, :index do
+          translation = @controller.t("<tag>.html")
+          assert_equal "translation missing: <tag>.html", translation
+          assert_equal false, translation.html_safe?
+        end
+      end
+      def test_translate_marks_translation_with_missing_nested_html_key_as_safe_html
+        @controller.stub :action_name, :index do
+          translation = @controller.t(".<tag>.html")
+          assert_equal "translation missing: abstract_controller.testing.translation.index.<tag>.html", translation
+          assert_equal false, translation.html_safe?
+        end
+      end
     end
   end
 end
5187a9ef5198

fix XSS vulnerability when using translation

https://github.com/rails/railsooooooo_qJan 5, 2024via ghsa
commit
3 files changed · +58 1
  • actionpack/CHANGELOG.md+4 0 modified
    @@ -1,3 +1,7 @@
+*   Fix possible XSS vulnerability with the `translate` method in controllers
+
+    CVE-2024-26143
+
 *   Fix ReDoS in Accept header parsing
 
     CVE-2024-26142
  • actionpack/lib/abstract_controller/translation.rb+23 1 modified
    @@ -21,7 +21,25 @@ def translate(key, **options)
         key = "#{path}.#{action_name}#{key}"
       end
 
-      ActiveSupport::HtmlSafeTranslation.translate(key, **options)
+      if options[:default]
+        options[:default] = [options[:default]] unless options[:default].is_a?(Array)
+        options[:default] = options[:default].map do |value|
+          value.is_a?(String) ? ERB::Util.html_escape(value) : value
+        end
+      end
+
+      if options[:raise].nil?
+        options[:default] = [] unless options[:default]
+        options[:default] << MISSING_TRANSLATION
+      end
+
+      result = ActiveSupport::HtmlSafeTranslation.translate(key, **options)
+
+      if result == MISSING_TRANSLATION
+        +"translation missing: #{key}"
+      else
+        result
+      end
     end
     alias :t :translate
 
@@ -30,5 +48,9 @@ def localize(object, **options)
       I18n.localize(object, **options)
     end
     alias :l :localize
+
+    private
+      MISSING_TRANSLATION = -(2**60)
+      private_constant :MISSING_TRANSLATION
   end
 end
  • actionpack/test/abstract/translation_test.rb+31 0 modified
    @@ -83,6 +83,22 @@ def test_default_translation
         end
       end
 
+      def test_default_translation_as_safe_html
+        @controller.stub :action_name, :index do
+          translation = @controller.t(".twoz", default: ["<tag>"])
+          assert_equal "&lt;tag&gt;", translation
+          assert_equal true, translation.html_safe?
+        end
+      end
+
+      def test_default_translation_with_raise_as_safe_html
+        @controller.stub :action_name, :index do
+          translation = @controller.t(".twoz", raise: true, default: ["<tag>"])
+          assert_equal "&lt;tag&gt;", translation
+          assert_equal true, translation.html_safe?
+        end
+      end
+
       def test_localize
         time, expected = Time.gm(2000), "Sat, 01 Jan 2000 00:00:00 +0000"
         I18n.stub :localize, expected do
@@ -126,6 +142,21 @@ def test_translate_escapes_interpolations_in_translations_with_a_html_suffix
           assert_equal true, translation.html_safe?
         end
       end
+
+      def test_translate_marks_translation_with_missing_html_key_as_safe_html
+        @controller.stub :action_name, :index do
+          translation = @controller.t("<tag>.html")
+          assert_equal "translation missing: <tag>.html", translation
+          assert_equal false, translation.html_safe?
+        end
+      end
+      def test_translate_marks_translation_with_missing_nested_html_key_as_safe_html
+        @controller.stub :action_name, :index do
+          translation = @controller.t(".<tag>.html")
+          assert_equal "translation missing: abstract_controller.testing.translation.index.<tag>.html", translation
+          assert_equal false, translation.html_safe?
+        end
+      end
     end
   end
 end

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.