Skip to content

Commit 0e5c35d

Browse files
jasnowRubySec CI
jasnow
authored and
RubySec CI
committed
Updated advisory posts against rubysec/ruby-advisory-db@db8a791 
1 parent 337ffe5 commit 0e5c35d

File tree

1 file changed

+71
-0
lines changed

1 file changed

+71
-0
lines changed

advisories/_posts/2026-02-06-GHSA-w67g-2h6v-vjgq.md

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
---
2+
layout: advisory
3+
title: 'GHSA-w67g-2h6v-vjgq (phlex): Phlex XSS protection bypass via attribute splatting,
4+
dynamic tags, and href values'
5+
comments: false
6+
categories:
7+
- phlex
8+
advisory:
9+
gem: phlex
10+
ghsa: w67g-2h6v-vjgq
11+
url: https://github.com/yippee-fun/phlex/security/advisories/GHSA-w67g-2h6v-vjgq
12+
title: Phlex XSS protection bypass via attribute splatting, dynamic tags, and href
13+
values
14+
date: 2026-02-06
15+
description: |
16+
### Impact
17+
18+
During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex,
19+
we identified three specific ways to bypass the XSS (cross-site-scripting)
20+
protection built into Phlex.
21+
22+
1. The first bypass could happen if user-provided attributes with
23+
string keys were splatted into HTML tag, e.g. `div(**user_attributes)`.
24+
25+
2. The second bypass could happen if user-provided tag names were
26+
passed to the `tag` method, e.g. `tag(some_tag_name_from_user)`.
27+
28+
3. The third bypass could happen if user’s links were passed to
29+
`href` attributes, e.g. `a(href: user_provided_link)`.
30+
31+
All three of these patterns are meant to be safe and all
32+
have now been patched.
33+
34+
### Patches
35+
36+
Phlex has patched all three issues and introduced new tests that
37+
run against Safari, Firefox and Chrome.
38+
39+
The patched versions are:
40+
41+
- [2.4.1](https://rubygems.org/gems/phlex/versions/2.4.1)
42+
- [2.3.2](https://rubygems.org/gems/phlex/versions/2.3.2)
43+
- [2.2.2](https://rubygems.org/gems/phlex/versions/2.2.2)
44+
- [2.1.3](https://rubygems.org/gems/phlex/versions/2.1.3)
45+
- [2.0.2](https://rubygems.org/gems/phlex/versions/2.0.3)
46+
- [1.11.1](https://rubygems.org/gems/phlex/versions/1.11.1)
47+
48+
Phlex has also patched the [`main`](https://github.com/yippee-fun/phlex)
49+
branch in GitHub.
50+
51+
### Workarounds
52+
If a project uses a secure CSP (content security policy) or if the
53+
application doesn’t use any of the above patterns, it is not at risk.
54+
cvss_v3: 7.1
55+
patched_versions:
56+
- "~> 1.11.1"
57+
- "~> 2.0.2"
58+
- "~> 2.1.3"
59+
- "~> 2.2.2"
60+
- "~> 2.3.2"
61+
- ">= 2.4.1"
62+
related:
63+
url:
64+
- https://github.com/yippee-fun/phlex/security/advisories/GHSA-w67g-2h6v-vjgq
65+
- https://github.com/yippee-fun/phlex/commit/1d85da417cb15eb8cb2f54a68d531c9b35d9d03a
66+
- https://github.com/yippee-fun/phlex/commit/556441d5a64ff93f749e8116a05b2d97264468ee
67+
- https://github.com/yippee-fun/phlex/commit/74e3d8610ffabc2cf5f241945e9df4b14dceb97d
68+
- https://github.com/yippee-fun/phlex/commit/9f56ad13bea9a7d6117fdfd510446c890709eeac
69+
- https://github.com/yippee-fun/phlex/commit/fe9ea708672f9fa42526d9b47e1cdc4634860ef1
70+
- https://github.com/advisories/GHSA-w67g-2h6v-vjgq
71+
---

0 commit comments

Comments
 (0)