GHSA-pg8v-g4xq-hww9
Vulnerability from github
Versions of Rails::Html::Sanitizer prior to version 1.4.3 are vulnerable to XSS with certain configurations of Rails::Html::Sanitizer which allows an attacker to inject content when the application developer has overridden the sanitizer's allowed tags to allow both select
and style
elements. Code is only impacted if allowed tags are being overridden.
This may be done via application configuration: ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]
see https://guides.rubyonrails.org/configuring.html#configuring-action-view
Or it may be done with a :tags
option to the Action View helper sanitize
: <%= sanitize @comment.body, tags: ["select", "style"] %>
see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize
It may also be done with Rails::Html::SafeListSanitizer directly:
ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]
or with
ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])
All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" are recommended to upgrade immediately. A workaround for this issue can be applied by removing either select
or style
from the overridden allowed tags.
{ "affected": [ { "package": { "ecosystem": "RubyGems", "name": "rails-html-sanitizer" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "1.4.3" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2022-32209" ], "database_specific": { "cwe_ids": [ "CWE-79" ], "github_reviewed": true, "github_reviewed_at": "2022-07-05T18:10:35Z", "nvd_published_at": "2022-06-24T15:15:00Z", "severity": "MODERATE" }, "details": "Versions of Rails::Html::Sanitizer prior to version 1.4.3 are vulnerable to XSS with certain configurations of Rails::Html::Sanitizer which allows an attacker to inject content when the application developer has overridden the sanitizer\u0027s allowed tags to allow both `select` and `style` elements. Code is only impacted if allowed tags are being overridden. \n\nThis may be done via application configuration: ```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = [\"select\", \"style\"]```\n\nsee https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\nOr it may be done with a `:tags` option to the Action View helper `sanitize`: ```\u003c%= sanitize @comment.body, tags: [\"select\", \"style\"] %\u003e``` \n\nsee https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize \n\nIt may also be done with Rails::Html::SafeListSanitizer directly: \n```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]``` or with\n```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"select\", \"style\"])```\n\nAll users overriding the allowed tags by any of the above mechanisms to include both \"select\" and \"style\" are recommended to upgrade immediately. A workaround for this issue can be applied by removing either `select` or `style` from the overridden allowed tags.", "id": "GHSA-pg8v-g4xq-hww9", "modified": "2022-07-07T17:13:54Z", "published": "2022-06-25T00:00:54Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32209" }, { "type": "WEB", "url": "https://github.com/rails/rails-html-sanitizer/commit/45a5c10fed3d9aa141594c80afa06d748fa0967d" }, { "type": "WEB", "url": "https://hackerone.com/reports/1530898" }, { "type": "PACKAGE", "url": "https://github.com/rails/rails-html-sanitizer" }, { "type": "WEB", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-32209.yml" }, { "type": "WEB", "url": "https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00012.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" } ], "summary": "Rails::Html::Sanitizer vulnerable to Cross-site Scripting" }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.