oss-sec mailing list archives
Sanitize <= 4.6.2 HTML injection and XSS
From: Ryan Grove <ryan () wonko com>
Date: Mon, 19 Mar 2018 19:50:42 -0700
Sanitize is a Ruby library that removes unacceptable HTML and CSS from a string based on a whitelist. Versions 4.6.2 and below contain an HTML injection vulnerability that allows XSS. Details are included below, and can also be found at: https://github.com/rgrove/sanitize/issues/176 ==== # Sanitize XSS vulnerability This is a public disclosure of an HTML injection vulnerability in Sanitize that could allow XSS. I’d like to thank the Shopify Application Security Team for responsibly reporting this vulnerability. ## Description A specially crafted HTML fragment can cause Sanitize to allow non-whitelisted attributes to be used on a whitelisted HTML element. ## Affected Versions Sanitize < 4.6.3, but only in combination with libxml2 >= 2.9.2 ## Mitigation Upgrade to Sanitize 4.6.3. ## History of this vulnerability - 2018-03-19: Reported by Shopify Application Security Team via email - 2018-03-19: Sanitize 4.6.3 released with a fix - 2018-03-19: Initial vulnerability report published
Current thread:
- Sanitize <= 4.6.2 HTML injection and XSS Ryan Grove (Mar 19)
- Re: Sanitize <= 4.6.2 HTML injection and XSS Ryan Grove (Mar 20)