In middleware.rb, a request parameter is passed directly to the response body without being escaped.
id = request.params['id']
the parameter should be wrapped in html_escape to prevent possible XSS
id = html_escape(request.params['id'])
Please see this example URI as proof:
simple_captcha/?id=%22)%3B%20%3Cscript%20type=%27text/javascript%27%3Ealert(%27xss%27](url))%3B%3C/script%3E%20%23(%22
In middleware.rb, a request parameter is passed directly to the response body without being escaped.
id = request.params['id']the parameter should be wrapped in html_escape to prevent possible XSS
id = html_escape(request.params['id'])Please see this example URI as proof:
simple_captcha/?id=%22)%3B%20%3Cscript%20type=%27text/javascript%27%3Ealert(%27xss%27](url))%3B%3C/script%3E%20%23(%22