Описание
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions >= 1.0.3, < 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah >= 2.1.0. This issue is patched in version 1.4.4.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| ruby-rails-html-sanitizer | fixed | 1.4.4-1 | package |
Примечания
https://github.com/rails/rails-html-sanitizer/issues/135
https://github.com/rails/rails-html-sanitizer/commit/d1223a29cb3e4151cdcb6ba6c8431708d8ce40a6 (v1.4.4)
https://github.com/rails/rails-html-sanitizer/commit/bb6dfcbaaf9c5c8c4f77555557693c08d4d4ab48 (v1.5.0)
https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m
EPSS
Связанные уязвимости
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions >= 1.0.3, < 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah >= 2.1.0. This issue is patched in version 1.4.4.
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions >= 1.0.3, < 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah >= 2.1.0. This issue is patched in version 1.4.4.
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions >= 1.0.3, < 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah >= 2.1.0. This issue is patched in version 1.4.4.
Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
Уязвимость реализации конфигурации инструмента очистки HTML для приложений Rails Rails Html Sanitizer, связанная с неправильной нейтрализацией входных данных во время генерации веб-страницы, позволяющая нарушителю проводить межсайтовые сценарные атаки
EPSS