CVSS v3.x: 7.3 (High)
- < 3.0.0
- >= 5.2.1
When HTML is sanitized using Sanitize’s "relaxed" config or a custom config that allows certain
elements, some content in a
<svg> element may not be sanitized correctly even if
svg are not in the allowlist.
You are likely to be vulnerable to this issue if you use Sanitize’s relaxed config or a custom config that allows one or more of the following HTML elements:
Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize, potentially resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser.
This problem has been fixed in Sanitize 5.2.1.
If upgrading is not possible, a workaround is to override the default value of Sanitize’s
:remove_contents config option with the following value, which ensures that the contents of
svg elements (among others) are removed entirely when those elements are not in the
%w[iframe math noembed noframes noscript plaintext script style svg xmp]
For example, if you currently use Sanitize’s relaxed config, you can create a custom config
object that overrides the default value of
:remove_contents like this:
custom_config = Sanitize::Config.merge( Sanitize::Config::RELAXED, :remove_contents => %w[iframe math noembed noframes noscript plaintext script style svg xmp] )
You would then pass this custom config to Sanitize when sanitizing HTML.