Moderate severity vulnerability that affects loofah

2018-03-21T11:57:11
ID GHSA-X7RV-CR6V-4VM4
Type github
Reporter GitHub Advisory Database
Modified 2019-07-03T21:02:01

Description

Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

Users are affected if running Loofah < 2.2.1, but only:

  • when running on MRI or RBX,
  • in combination with libxml2 >= 2.9.2.

Please note: JRuby users are not affected.