rails-html-sanitizer is vulnerable to cross site scripting. The vulnerability exists in the loofah_using_html5?
and remove_safelist_tag_combinations
functions in sanitizer.rb
because it enables an attacker to inject content when the application developer has overridden the sanitizer’s allowed tags to allow both select
and style
elements.
Vendor | Product | Version | CPE |
---|---|---|---|
rubyonrails | rails_html_sanitizers | 1.3.0-1 | cpe:2.3:a:rubyonrails:rails_html_sanitizers:1.3.0-1:*:*:*:*:rails:*:* |
typo3 | html_sanitizer | 1.4.3_2.el8sat | cpe:2.3:a:typo3:html_sanitizer:1.4.3_2.el8sat:*:*:*:*:*:*:* |
typo3 | html_sanitizer | 1.3.0_2.el8sat | cpe:2.3:a:typo3:html_sanitizer:1.3.0_2.el8sat:*:*:*:*:*:*:* |
typo3 | html_sanitizer | * | cpe:2.3:a:typo3:html_sanitizer:*:*:*:*:*:*:*:* |