Overview
In CVE-2007-3227, Ruby on Rails exposed a cross-site scripting (XSS) vulnerability tied to ActiveRecord::Base#to_json in versions prior to edge 9606. This CWE-79 misconfiguration meant that user-supplied values could be reflected into HTML/JavaScript contexts via JSON output, enabling attackers to inject arbitrary script that could run in other users' browsers if the JSON was embedded directly in a page. The flaw is rooted in unsafe rendering of JSON data within HTML/JS contexts and demonstrates how incorrect handling of dynamic content can lead to XSS in Rails applications.
Affected Versions
Rails before edge 9606
Code Fix Example
Ruby on Rails API Security Remediation
<%# Vulnerable ERB: embedding JSON directly into a script context %>
<script>var user = <%= @user.to_json %>;</script>
<%# Fixed ERB: escape JSON for JavaScript context %>
<script>var user = <%= j @user.to_json %>;</script>
<%# Vulnerable HTML attribute context %>
<div data-user="<%= @user.to_json %>"></div>
<%# Fixed HTML attribute context %>
<div data-user="<%= j @user.to_json %>"></div>