logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-53985 rails-html-sanitizer

Package

Manager: gem
Name: rails-html-sanitizer
Vulnerable Version: =1.6.0 || >=1.6.0 <1.6.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00261 pctl0.49302

Details

rails-html-sanitize has XSS vulnerability with certain configurations ## Summary There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8. * Versions affected: 1.6.0 * Not affected: < 1.6.0 * Fixed versions: 1.6.1 Please note that the fix in v1.6.1 is to update the dependency on Nokogiri to 1.15.7 or >= 1.16.8. ## Impact A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in either of the following ways: * allow both "math" and "style" elements * or allow both "svg" and "style" elements Code is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways: 1. using application configuration to configure Action View sanitizers' allowed tags: ```ruby # In config/application.rb config.action_view.sanitized_allowed_tags = ["math", "style"] # or config.action_view.sanitized_allowed_tags = ["svg", "style"] ``` see https://guides.rubyonrails.org/configuring.html#configuring-action-view 2. using a `:tags` option to the Action View helper `sanitize`: ``` <%= sanitize @comment.body, tags: ["math", "style"] %> <%# or %> <%= sanitize @comment.body, tags: ["svg", "style"] %> ``` see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize 3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`: ```ruby # class-level option Rails::HTML5::SafeListSanitizer.allowed_tags = ["math", "style"] # or Rails::HTML5::SafeListSanitizer.allowed_tags = ["svg", "style"] ``` (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`) 4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`: ```ruby # instance-level option Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "style"]) # or Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["svg", "style"]) ``` (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`) 5. setting ActionText::ContentHelper module attribute `allowed_tags`: ```ruby ActionText::ContentHelper.allowed_tags = ["math", "style"] # or ActionText::ContentHelper.allowed_tags = ["svg", "style"] ``` All users overriding the allowed tags by any of the above mechanisms to include (("math" or "svg") and "style") should either upgrade or use one of the workarounds. ## Workarounds Any one of the following actions will work around this issue: - Remove "style" from the overridden allowed tags, - Or, remove "math" and "svg" from the overridden allowed tags, - Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information) - Or, independently upgrade Nokogiri to v1.15.7 or >= 1.16.8. ## References - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html) - Original report: https://hackerone.com/reports/2503220 ## Credit This vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).

Metadata

Created: 2024-12-02T21:48:14Z
Modified: 2024-12-03T18:50:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-w8gc-x259-rc7x/GHSA-w8gc-x259-rc7x.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-w8gc-x259-rc7x
Finding: F008
Auto approve: 1