ADVISORIES
GEM
SEVERITY
CVSS v3.x: 7.5 (High)
UNAFFECTED VERSIONS
- < 1.1.0
PATCHED VERSIONS
- ~> 2.1.1
- >= 4.6.3
DESCRIPTION
When Sanitize gem is used in combination with libxml2 >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements.
This can allow HTML and JavaScript injection, which could result in XSS if Sanitize’s output is served to browsers.