def cve_2012_3465
message = msg(msg_version(rails_version), " has a vulnerability in ", msg_code("strip_tags"), " ", msg_cve("CVE-2012-3465"), ". Upgrade to ")
case
when (version_between?('2.0.0', '2.3.14') and tracker.config.escape_html?)
message = msg("All Rails 2.x versions have a vulnerability in ", msg_code("strip_tags"), " ", msg_cve("CVE-2012-3465"))
when version_between?('3.0.10', '3.0.16')
message << msg_version('3.0.17')
when version_between?('3.1.0', '3.1.7')
message << msg_version('3.1.8')
when version_between?('3.2.0', '3.2.7')
message << msg_version('3.2.8')
else
return
end
warn :warning_type => "Cross-Site Scripting",
:warning_code => :CVE_2012_3465,
:message => message,
:confidence => :high,
:gem_info => gemfile_or_environment,
:link_path => "https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion"
end