The tale of an XSS in Phlex (CVE-2024-32463)

Phlex is a Ruby gem for building HTML components. Even though the HTML specification permits the usage of the javascript scheme in the href attribute of an anchor tag, Phlex doesn’t permit it to prevent an accidental XSS. When I had an initial look at the gem around its inception, I didn’t really checked how this filtering works, but a Twitter exchange with Joel reminded me to see if it can be bypassed somehow.

I downloaded the gem and found the bit of the code where this filtering was happening:

next if lower_name == "href" && v.start_with?(/\s*javascript:/i)

As you can see, the filter checks if the value for the attribute starts with any number of space characters followed by javascript:. To test the XSSI created a Rails app and a component with anchor tags, setting the anchor from a GET parameter. My first thought was that there might be a lack of downcasing the value, but that wasn’t true, so a payload like JaVaScript: didn’t work. Next thing I tried was the space and tab character and lo and behold the tab worked. The payload I used was java%09script:alert(%27XSS%27). So using the URL encoded tab character successfully bypassed the filter. But how would we persists this? Submitting the same payload in a form doesn’t work, because URL decoding only happens on GET pramaters. That’s actually easy to overcome because Rails uses both GET and POST params in the params hash, so we can submit the payload in the GET parameter and will be still assigned to the attribute.

Once I verified that the issue exists, I went to report it. This is where I usually get dissapointed because there is no clear way to report the issue. Not this time. Phlex has a Security.md with clear instructions about how to report a security issue. I also learned bout GitHub’s private advisory feature which Phlex uses to receive reports. It is a very neat way to handle reports in my opinion.

Joel fixed the issue pretty quickly and released new versions. If you use Phlex, upgrade to the latest version.