The problem relates directly to the implementation of the bootstrap_flash helper function. This function is defined in app/helpers/bootstrap_flash_helper.rb within the twitter-bootstrap-rails gem.
The vulnerability exists because the library is explicitly calling the .html_safe function on the msg variable (line 18), which is an element of the flash array. The items within the flash array are defined via the user controller and are not previously sanitized. In the case of our application, these messages include information provided through the application parameters.
The solution is as simple as removing the .html_safe function call occurring on the msg object from within the bootstrap_flash function (line 18). By removing this particular instance of .html_safe, we ensure that the msg variable is automatically encoded prior to generating the HTML content for the div tag container.
This issue was reported to the twitter-bootstrap-rails developers originally on 02/23/2014, and a remediating pull request was submitted and accepted on 03/25/2014. We recommend you update your gem from the Github source by adding the following line to your Gemfile. If it cannot be updated, we’ve provided a patch version of the helper that can be added to your Rails application here.
With a quick scan through GitHub, it appears that the twitter-bootstrap-rails gem is in use within approximately 16,000 repositories.
Update: CVE identifier CVE-2014-4920 issued on 07/11/2014, but advisory has not yet been issued.