RubySec

Providing security resources for the Ruby community

GHSA-8whx-365g-h9vv (loofah): Loofah `allowed_uri?` does not detect `javascript:` URIs split by named whitespace character references

Loofah `allowed_uri?` does not detect `javascript:` URIs split by named whitespace character references

Published: July 15, 2026

SECURITY IDENTIFIERS

GEM

loofah

UNAFFECTED VERSIONS

< 2.25.0

PATCHED VERSIONS

>= 2.25.2

DESCRIPTION

Summary

Loofah::HTML5::Scrub.allowed_uri? does not correctly reject javascript: URIs when the scheme is split or prefixed by the HTML5 named character references &Tab; (tab) or &NewLine; (line feed).

This is a bypass of the fix for GHSA-46fp-8f5p-pf2m, which handled the equivalent numeric character references (&#9;, &#10;, &#13;) but did not cover the named forms.

RELATED