Listen to this Post
The vulnerability arises from an improper propagation of the `@html_unsafe` flag within the `SafeBuffer%` method in Rails Active Support. A `SafeBuffer` is a string subclass that marks content as HTML-safe, preventing automatic escaping in ERB templates. The `%` method (string formatting) does not transfer the internal `@html_unsafe` state to the newly created buffer object. When a `SafeBuffer` is mutated in-place—for example, using gsub!—the buffer retains its HTML-safe flag even after manipulation. If that buffer is subsequently formatted with `%` using untrusted user input, the resulting string incorrectly reports html_safe? == true. Because ERB auto-escaping relies on this flag to decide whether to escape output, the untrusted content is rendered without sanitization, enabling a stored or reflected XSS attack. The flaw affects applications that use `html_safe` buffers and then apply `%` formatting with user-controlled strings. Attackers can inject JavaScript that executes in the victim’s browser, potentially stealing cookies, session tokens, or performing unauthorized actions. The issue was fixed by ensuring `%` correctly propagates the HTML-unsafe flag to the result, aligning with the expected safe-by-default behavior of Rails. Patched versions were released simultaneously with the advisory.
Platform: Rails Active Support
Version: <7.2.3.1 / 8.0.4.1 / 8.1.2.1
Vulnerability : Cross-site scripting (XSS)
Severity: Moderate
date: Mar 23, 2026
Prediction: Already patched Mar 23
What Undercode Say:
Check current Rails version rails -v List affected versions gem list rails Update Rails to patched version bundle update rails Verify patch applied grep -A2 "SafeBuffer" $(bundle show activesupport)/lib/active_support/core_ext/string/output_safety.rb
How Exploit:
Craft a payload where a `SafeBuffer` is modified with `gsub!` then formatted with `%` and an untrusted string, causing the final output to be marked `html_safe?` while containing unsanitized `
