Loofah `allowed_uri?` does not detect `javascript:` URIs split by numeric character references without semicolons
Published: July 15, 2026
SECURITY IDENTIFIERS
- GHSA: GHSA-5qhf-9phg-95m2
- Vendor Advisory: https://github.com/flavorjones/loofah/security/advisories/GHSA-5qhf-9phg-95m2
GEM
UNAFFECTED VERSIONS
< 2.25.0
PATCHED VERSIONS
>= 2.25.2
DESCRIPTION
Summary
Loofah::HTML5::Scrub.allowed_uri? does not correctly reject javascript: or vbscript: URIs when the scheme is split by a numeric character reference that has no trailing semicolon. A browser decodes such references and resolves the URL to an executable javascript: scheme, while allowed_uri? reports it safe.
This is a bypass of the fix for GHSA-46fp-8f5p-pf2m, which handled numeric character references with a trailing ; (	, , ) but did not cover the forms without semicolons.
Impact
Callers that validate a user-controlled URL with Loofah::HTML5::Scrub.allowed_uri? and then render the approved value into an href or other browser-interpreted URI attribute may be vulnerable to cross-site scripting (XSS). This includes applications that call allowed_uri? directly, as well as higher-level features built on top of it, such as Action Text 8.2's markdown link validation.
Credit
Responsibly reported by GitHub user @MoonFuji.
