Impact
During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex.
- The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g.
div(**user_attributes).
- The second bypass could happen if user-provided tag names were passed to the
tag method, e.g. tag(some_tag_name_from_user).
- The third bypass could happen if user’s links were passed to
href attributes, e.g. a(href: user_provided_link).
All three of these patterns are meant to be safe and all have now been patched.
Patches
We have patched all three issues and introduced new tests that run against Safari, Firefox and Chrome.
The patched versions are:
We have also patched the main branch in GitHub.
Workarounds
If you use a secure CSP (content security policy) or if your application doesn’t use any of the above patterns, you are not at risk.
Impact
During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex.
div(**user_attributes).tagmethod, e.g.tag(some_tag_name_from_user).hrefattributes, e.g.a(href: user_provided_link).All three of these patterns are meant to be safe and all have now been patched.
Patches
We have patched all three issues and introduced new tests that run against Safari, Firefox and Chrome.
The patched versions are:
We have also patched the
mainbranch in GitHub.Workarounds
If you use a secure CSP (content security policy) or if your application doesn’t use any of the above patterns, you are not at risk.