ADVISORIES
GEM
FRAMEWORK
SEVERITY
CVSS v3.x: 6.9 (Medium)
PATCHED VERSIONS
- >= 4.4.0
DESCRIPTION
Impact
Passing HTML containing <option> elements from untrusted sources - even after
sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(),
.append(), and others) may execute untrusted code.
Workarounds
To workaround this issue without upgrading, use DOMPurify with its
SAFE_FOR_JQUERY option to sanitize the HTML string before passing it to a
jQuery method.