RubySec

Providing security resources for the Ruby community

CVE-2018-3740 (sanitize): HTML injection/XSS in Sanitize

ADVISORIES

GEM

sanitize

UNAFFECTED VERSIONS

  • < 1.1.0

PATCHED VERSIONS

  • ~> 2.1.1
  • >= 4.6.3

DESCRIPTION

When Sanitize gem is used in combination with libxml2 >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements.

This can allow HTML and JavaScript injection, which could result in XSS if Sanitize’s output is served to browsers.