Description
In app/views/layouts/_account_accent_color_override.html.erb, @account.accent_color is interpolated directly into a <style> block ~15 times without sanitization.
<style>
.btn-primary {
background-color: <%= @account.accent_color %>;
color: <%= @account.accent_label_color %>;
...
}
</style>Risk
If an attacker sets their accent_color to something like red; } body { display:none } .x {, it breaks out of the CSS property and can inject arbitrary CSS. With </style><script>..., it could escalate to XSS.
Recommendation
Validate accent_color in the Account model to only allow valid hex colors (e.g., /\A#[0-9a-f]{6}\z/i).
Severity
Critical
Description
In
app/views/layouts/_account_accent_color_override.html.erb,@account.accent_coloris interpolated directly into a<style>block ~15 times without sanitization.Risk
If an attacker sets their accent_color to something like
red; } body { display:none } .x {, it breaks out of the CSS property and can inject arbitrary CSS. With</style><script>..., it could escalate to XSS.Recommendation
Validate
accent_colorin the Account model to only allow valid hex colors (e.g.,/\A#[0-9a-f]{6}\z/i).Severity
Critical