Loofah `allowed_uri?` does not detect `javascript:` URIs split by named whitespace character references
Published: July 15, 2026
SECURITY IDENTIFIERS
- GHSA: GHSA-8whx-365g-h9vv
- Vendor Advisory: https://github.com/flavorjones/loofah/security/advisories/GHSA-8whx-365g-h9vv
GEM
UNAFFECTED VERSIONS
< 2.25.0
PATCHED VERSIONS
>= 2.25.2
DESCRIPTION
Summary
Loofah::HTML5::Scrub.allowed_uri? does not correctly reject javascript: URIs when the scheme is split or prefixed by the HTML5 named character references 	 (tab) or 
 (line feed).
This is a bypass of the fix for GHSA-46fp-8f5p-pf2m, which handled the equivalent numeric character references (	, , ) but did not cover the named forms.
