Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex
Description
phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. This was due to improper case-sensitivity in the code that was meant to prevent these attacks. If you render an ` tag with an href attribute set to a user-provided link, that link could potentially execute JavaScript when clicked by another user. If you splat user-provided attributes when rendering any HTML tag, malicious event attributes could be included in the output, executing JavaScript when the events are triggered by another user. Patches are available on RubyGems for all 1.x minor versions. Users are advised to upgrade. Users unable to upgrade should consider configuring a content security policy that does not allow unsafe-inline`.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Phlex, an open-source Ruby framework, contains a cross-site scripting (XSS) vulnerability due to improper case-sensitivity in attribute handling, allowing malicious JavaScript via user-controlled links or event attributes.
Vulnerability
Overview
CVE-2024-28199 is a cross-site scripting (XSS) vulnerability in phlex, an open-source Ruby framework for building object-oriented views. The root cause is improper case-sensitivity in the code that sanitizes HTML attributes, which was intended to prevent injection of malicious content. This flaw allows an attacker to bypass the sanitization by using mixed-case or alternative-casing for attribute names or event handlers [3].
Exploitation
Vectors
Two primary attack vectors exist. First, when an ` tag is rendered with a user-provided href attribute, the link could execute JavaScript upon click by using a protocol like javascript:. Second, if user-provided attributes are 'splatted' onto any HTML tag, an attacker can inject malicious event attributes (e.g., onclick, onmouseover`) that execute JavaScript when triggered by another user. No authentication is required beyond the ability to supply crafted data that is rendered by the vulnerable application [3].
Impact
A successful exploit allows an attacker to execute arbitrary JavaScript in the context of another user's session. This can lead to session hijacking, data theft, defacement, or other malicious actions. The vulnerability affects all renderings where user-supplied input is passed to href or to a hash of attributes, making it a high-severity issue for applications using phlex [3].
Mitigation
Patches are available on RubyGems for all 1.x minor versions. Users should upgrade to the latest patched version. Those unable to upgrade immediately can mitigate the risk by implementing a Content Security Policy (CSP) that does not allow unsafe-inline for scripts, effectively blocking inline JavaScript execution [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phlexRubyGems | >= 1.9.0, < 1.9.1 | 1.9.1 |
phlexRubyGems | >= 1.8.0, < 1.8.2 | 1.8.2 |
phlexRubyGems | >= 1.7.0, < 1.7.1 | 1.7.1 |
phlexRubyGems | >= 1.6.0, < 1.6.2 | 1.6.2 |
phlexRubyGems | >= 1.5.0, < 1.5.2 | 1.5.2 |
phlexRubyGems | >= 1.4.0, < 1.4.1 | 1.4.1 |
phlexRubyGems | >= 1.3.0, < 1.3.3 | 1.3.3 |
phlexRubyGems | >= 1.2.0, < 1.2.2 | 1.2.2 |
phlexRubyGems | >= 1.1.0, < 1.1.1 | 1.1.1 |
phlexRubyGems | < 1.0.1 | 1.0.1 |
Affected products
2- phlex-ruby/phlexv5Range: = 1.9.0
Patches
1aa50c604cdeeFix improper case-sensitivity
2 files changed · +34 −9
lib/phlex/sgml.rb+4 −9 modified@@ -393,14 +393,6 @@ def __final_attributes__(**attributes) attributes = process_attributes(**attributes) end - if attributes[:href]&.start_with?(/\s*javascript:/) - attributes.delete(:href) - end - - if attributes["href"]&.start_with?(/\s*javascript:/) - attributes.delete("href") - end - buffer = +"" __build_attributes__(attributes, buffer: buffer) @@ -418,8 +410,11 @@ def __build_attributes__(attributes, buffer:) else raise ArgumentError, "Attribute keys should be Strings or Symbols." end + lower_name = name.downcase + next if lower_name == "href" && v.start_with?(/\s*javascript:/i) + # Detect unsafe attribute names. Attribute names are considered unsafe if they match an event attribute or include unsafe characters. - if HTML::EVENT_ATTRIBUTES[name] || name.match?(/[<>&"']/) + if HTML::EVENT_ATTRIBUTES[lower_name] || name.match?(/[<>&"']/) raise ArgumentError, "Unsafe attribute name detected: #{k}." end
test/phlex/view/naughty_business.rb+30 −0 modified@@ -3,6 +3,36 @@ describe Phlex::HTML do extend ViewHelper + with "naughty javascript links" do + view do + def template + a(href: "javascript:alert(1)") { "a" } + a(href: "JAVASCRIPT:alert(1)") { "b" } + a(href: :"JAVASCRIPT:alert(1)") { "c" } + a(HREF: "javascript:alert(1)") { "d" } + end + end + + it "removes the href attributes" do + expect(output).to be == "<a>a</a><a>b</a><a>c</a><a>d</a>" + end + end + + with "naughty uppercase event tag" do + view do + def template + button ONCLICK: "ALERT(1)" do + "naughty button" + end + end + end + + it "raises" do + expect { output }.to raise_exception ArgumentError, + message: be == "Unsafe attribute name detected: ONCLICK." + end + end + with "naughty text" do view do def view_template
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-242p-4v39-2v8gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-28199ghsaADVISORY
- developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policyghsax_refsource_MISCWEB
- developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policyghsax_refsource_MISCWEB
- github.com/phlex-ruby/phlex/commit/aa50c604cdee1d0ce7ef068a4c66cbd5d43f96a1ghsax_refsource_MISCWEB
- github.com/phlex-ruby/phlex/security/advisories/GHSA-242p-4v39-2v8gghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/phlex/CVE-2024-28199.ymlghsaWEB
News mentions
0No linked articles in our index yet.