RubySec

Providing security resources for the Ruby community

GHSA-cj75-f6xr-r4g7 (rails-html-sanitizer): Possible XSS vulnerability with certain configurations of rails-html-sanitizer

Possible XSS vulnerability with certain configurations of rails-html-sanitizer

Published: July 15, 2026

SECURITY IDENTIFIERS

GEM

rails-html-sanitizer

FRAMEWORK

Ruby on Rails

UNAFFECTED VERSIONS

< 1.0.3

PATCHED VERSIONS

>= 1.7.1

DESCRIPTION

Summary

There is a possible cross-site scripting vulnerability in rails-html-sanitizer when the sanitizer is configured to allow an SVG reference element such as <use>. See related GHSA-9wjq-cp2p-hrgf in Loofah, whose SVG local-reference logic rails-html-sanitizer mirrors.

RELATED