oss-sec mailing list archives

Sanitize <= 4.6.2 HTML injection and XSS

From: Ryan Grove <ryan () wonko com>
Date: Mon, 19 Mar 2018 19:50:42 -0700

Sanitize is a Ruby library that removes unacceptable HTML and CSS from a string based on a whitelist. Versions 4.6.2 
and below contain an HTML injection vulnerability that allows XSS.

Details are included below, and can also be found at:

https://github.com/rgrove/sanitize/issues/176 

====

# Sanitize XSS vulnerability

This is a public disclosure of an HTML injection vulnerability in Sanitize that could allow XSS. I’d like to thank the 
Shopify Application Security Team for responsibly reporting this vulnerability.

## Description

A specially crafted HTML fragment can cause Sanitize to allow non-whitelisted attributes to be used on a whitelisted 
HTML element.

## Affected Versions

Sanitize < 4.6.3, but only in combination with libxml2 >= 2.9.2

## Mitigation

Upgrade to Sanitize 4.6.3.

## History of this vulnerability

- 2018-03-19: Reported by Shopify Application Security Team via email
- 2018-03-19: Sanitize 4.6.3 released with a fix
- 2018-03-19: Initial vulnerability report published

Current thread:

Sanitize <= 4.6.2 HTML injection and XSS Ryan Grove (Mar 19)
- Re: Sanitize <= 4.6.2 HTML injection and XSS Ryan Grove (Mar 20)