Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: rails-html-sanitizer
date: 2018-03-22
url: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
cve: 2018-3741
title: XSS vulnerability in rails-html-sanitizer
description: |
  There is a possible XSS vulnerability in rails-html-sanitizer.  The gem allows
  non-whitelisted attributes to be present in sanitized output when input with
  specially-crafted HTML fragments, and these attributes can lead to an XSS attack
  on target applications.

  This issue is similar to CVE-2018-8048 in Loofah.
patched_versions:
- ">= 1.0.4"
related:
  cve: '["2018-8048"]'
  url: '["https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae"]'