CVE-2022-23519
Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Description
## Summary There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. - Versions affected: ALL - Not affected: NONE - Fixed versions: 1.4.4 ## Impact A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways: - allow both "math" and "style" elements, - or allow both "svg" and "style" elements Code is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways: 1. using application configuration: ```ruby # In config/application.rb config.action_view.sanitized_allowed_tags = ["math", "style"] # or config.action_view.sanitized_allowed_tags = ["svg", "style"] ``` see https://guides.rubyonrails.org/configuring.html#configuring-action-view 2. using a `:tags` option to the Action View helper `sanitize`: ``` <%= sanitize @comment.body, tags: ["math", "style"] %> <%# or %> <%= sanitize @comment.body, tags: ["svg", "style"] %> ``` see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize 3. using Rails::Html::SafeListSanitizer class method `allowed_tags=`: ```ruby # class-level option Rails::Html::SafeListSanitizer.allowed_tags = ["math", "style"] # or Rails::Html::SafeListSanitizer.allowed_tags = ["svg", "style"] ``` 4. using a `:tags` options to the Rails::Html::SafeListSanitizer instance method `sanitize`: ```ruby # instance-level option Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "style"]) # or Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["svg", "style"]) ``` All users overriding the allowed tags by any of the above mechanisms to include (("math" or "svg") and "style") should either upgrade or use one of the workarounds immediately. ## Workarounds Remove "style" from the overridden allowed tags, or remove "math" and "svg" from the overridden allowed tags. ## References - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html) - https://hackerone.com/reports/1656627 ## Credit This vulnerability was responsibly reported by Dominic Breuker.
How to fix CVE-2022-23519
To remediate CVE-2022-23519, upgrade the affected package to a fixed version below.
- —