logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-23627 sanitize

Package

Manager: gem
Name: sanitize
Vulnerable Version: >=5.0.0 <6.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00299 pctl0.52735

Details

Improper neutralization of `noscript` element content may allow XSS in Sanitize ### Impact Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize `>= 5.0.0, < 6.0.1` when Sanitize is configured with a custom allowlist that allows `noscript` elements. This could result in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. Sanitize's default configs don't allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist. ### Patches Sanitize `>= 6.0.1` always removes `noscript` elements and their contents, even when `noscript` is in the allowlist. ### Workarounds Users who are unable to upgrade can prevent this issue by using one of Sanitize's default configs or by ensuring that their custom config does not include `noscript` in the element allowlist. ### Details The root cause of this issue is that HTML parsing rules treat the contents of a `noscript` element differently depending on whether scripting is enabled in the user agent. Nokogiri (the HTML parser Sanitize uses) doesn't support scripting so it follows the "scripting disabled" rules, but a web browser with scripting enabled will follow the "scripting enabled" rules. This means that Sanitize can't reliably make the contents of a `noscript` element safe for scripting enabled browsers. The safest thing to do is to remove the element and its contents entirely, which is now what Sanitize does in version 6.0.1 and later. ### References - [Release Notes](https://github.com/rgrove/sanitize/releases/tag/v6.0.1) ### Credit Thanks to David Klein from [TU Braunschweig](https://www.tu-braunschweig.de/en/ias) (@leeN) for reporting this issue.

Metadata

Created: 2023-01-28T01:17:44Z
Modified: 2023-01-28T01:17:44Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-fw3g-2h3j-qmm7/GHSA-fw3g-2h3j-qmm7.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-fw3g-2h3j-qmm7
Finding: F008
Auto approve: 1