The tale of an XSS in Phlex (CVE-2024-32463) | Greg Molnar
19-Apr-2024 1138
Phlex is a Ruby gem for building HTML components. Even though the HTML specification permits the usage of the javascript scheme in the href attribute of an anchor tag, Phlex doesn’t permit it to prevent an accidental XSS. When I had an initial look at the gem around its inception, I didn’t really checked how this filtering works, but a Twitter exchange with Joel reminded me to see if it can be bypassed somehow.
The tale of an XSS in Phlex (CVE-2024-32463) | Greg Molnar #ruby #rubydeveloper #rubyonrails #Phlex #(CVE-2024-32463) #Molnar https://rubyonrails.ba/link/the-tale-of-an-xss-in-phlex-cve-2024-32463-greg-molnar