Source: ruby-rails-html-sanitizer Version: 1.4.2-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for ruby-rails-html-sanitizer. CVE-2022-32209[0]: | # Possible XSS Vulnerability in Rails::Html::SanitizerThere is a | possible XSS vulnerability with certain configurations of | Rails::Html::Sanitizer.This vulnerability has been assigned the CVE | identifier CVE-2022-32209.Versions Affected: ALLNot affected: | NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with | certain configurations of Rails::Html::Sanitizer may allow an attacker | to inject content if the application developer has overridden the | sanitizer's allowed tags to allow both `select` and `style` | elements.Code is only impacted if allowed tags are being overridden. | This may be done via application configuration:```ruby# In | config/application.rbconfig.action_view.sanitized_allowed_tags = | ["select", "style"]```see | https://guides.rubyonrails.org/configuring.html#configuring-action- | viewOr it may be done with a `:tags` option to the Action View helper | `sanitize`:```<%= sanitize @comment.body, tags: ["select", "style"] | %>```see https://api.rubyonrails.org/classes/ActionView/Helpers/San | itizeHelper.html#method-i-sanitizeOr it may be done with | Rails::Html::SafeListSanitizer directly:```ruby# class-level | optionRails::Html::SafeListSanitizer.allowed_tags = ["select", | "style"]```or```ruby# instance-level | optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: | ["select", "style"])```All users overriding the allowed tags by any of | the above mechanisms to include both "select" and "style" should | either upgrade or use one of the workarounds immediately.## | ReleasesThe FIXED releases are available at the normal locations.## | WorkaroundsRemove either `select` or `style` from the overridden | allowed tags.## CreditsThis vulnerability was responsibly reported by | [windshock](https://hackerone.com/windshock?type=user). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-32209 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32209 [1] https://hackerone.com/reports/1530898 [2] https://discuss.rubyonrails.org/t/cve-2022-32209-possible-xss-vulnerability-in-rails-sanitizer/80800 [3] https://github.com/rails/rails-html-sanitizer/commit/45a5c10fed3d9aa141594c80afa06d748fa0967d Please adjust the affected versions in the BTS as needed. Regards, Salvatore
