Sha256: 12d1c74389594e6484ca4a280ca130d696f2cdf9a01e04c17772b94497063e01
Contents?: true
Size: 698 Bytes
Versions: 3
Compression:
Stored size: 698 Bytes
Contents
---
gem: sanitize
cve: 2018-3740
date: 2018-03-19
url: https://github.com/rgrove/sanitize/issues/176
title: HTML injection/XSS in Sanitize
description: |
When Sanitize gem is used in combination with libxml2 >= 2.9.2,
a specially crafted HTML fragment can cause libxml2 to generate
improperly escaped output, allowing non-whitelisted attributes to be
used on whitelisted elements.
This can allow HTML and JavaScript injection, which could result in XSS
if Sanitize's output is served to browsers.
unaffected_versions:
- "< 1.1.0"
patched_versions:
- "~> 2.1.1"
- ">= 4.6.3"
related:
url:
- https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e
Version data entries
3 entries across 3 versions & 2 rubygems