Critical XSS Flaw in Dashboard Controller Exposes Users to Cookie-Based JavaScript Injection via Unescaped Font Parameter

A critical cross-site scripting vulnerability has been identified in the application's dashboard controller, stemming from unsanitized user input persisted through cookies. The flaw allowed attacker-controlled `params[:font]` values to be stored in `cookies[:font]` and subsequently injected—without escaping—into an inline `<style>` tag via the `raw` helper. This implementation error created a direct path for malicious actors to break out of the CSS context and execute arbitrary JavaScript in victims' browsers simply by crafting a specially formatted cookie payload.

The vulnerability operated as a stored XSS vector, meaning any user whose browser rendered the compromised cookie would automatically execute the injected script upon visiting the affected page. The attack chain required no user interaction beyond normal page navigation, making it particularly dangerous for applications handling sensitive user sessions or personal data. The core weakness lay in the application's failure to validate or sanitize font preference parameters before persistence and rendering.

The remediation implemented strict input validation through a whitelist approach in the dashboard controller. The fix introduces an `allowed_fonts` hash mapping safe font size keys—`small`, `medium`, `large`, and `extra-large`—to their corresponding CSS pixel values. The modified logic now rejects any font parameter falling outside this predefined set, effectively neutralizing injection attempts. Security researchers recommend auditing all cookie-based state persistence points for similar validation gaps, as this pattern represents a common but often overlooked attack surface in web applications that store user preferences server-side.