pludoni / simple-captcha

Rails 3+4 support now! Simple Captcha is the simplest and a robust captcha plugin. Its implementation requires adding up a single line in views and in controllers/models.
MIT License
106 stars 73 forks source link

Potential XSS flaw #59

Open wiredin opened 7 years ago

wiredin commented 7 years ago

In middleware.rb, a request parameter is passed directly to the response body without being escaped. id = request.params['id']

the parameter should be wrapped in html_escape to prevent possible XSS id = html_escape(request.params['id'])

Please see this example URI as proof: simple_captcha/?id=%22)%3B%20%3Cscript%20type=%27text/javascript%27%3Ealert(%27xss%27](url))%3B%3C/script%3E%20%23(%22