Skip to content

dep: [security] bump rails-html-sanitizer from 1.4.2 to 1.4.3

Bumps rails-html-sanitizer from 1.4.2 to 1.4.3. This update includes a security fix.

Vulnerabilities fixed

Rails::Html::Sanitizer vulnerable to Cross-site Scripting Versions of Rails::Html::Sanitizer prior to version 1.4.3 are vulnerable to XSS with certain configurations of Rails::Html::Sanitizer which allows an attacker to inject content when the application developer has overridden the sanitizer's allowed tags to allow both select and style elements. Code is only impacted if allowed tags are being overridden.

This may be done via application configuration: ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

Or it may be done with a :tags option to the Action View helper sanitize: <%= sanitize @comment.body, tags: ["select", "style"] %>

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

It may also be done with Rails::Html::SafeListSanitizer directly: ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = ["select", "style"] or with ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])

All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" are recommended to upgrade immediately. A workaround for this issue can be applied by removing either select or style from the overridden allowed tags.

Patched versions: 1.4.3 Affected versions: < 1.4.3

Release notes

Sourced from rails-html-sanitizer's releases.

1.4.3 / 2022-06-09

  • Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

    Prevent the combination of select and style as allowed tags in SafeListSanitizer.

    Fixes CVE-2022-32209

    Mike Dalessio

Changelog

Sourced from rails-html-sanitizer's changelog.

1.4.3 / 2022-06-09

  • Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

    Prevent the combination of select and style as allowed tags in SafeListSanitizer.

    Fixes CVE-2022-32209

    Mike Dalessio

Commits
  • f83f08c version bump to v1.4.3
  • 924e3ab update CHANGELOG for v1.4.3
  • 9b79253 Merge pull request #137 from rails/flavorjones-prevent-select-style-combinati...
  • 45a5c10 fix: modify safelist option if it contains both select and style
  • 045774a test: clean up tests by using the helpers
  • fe109c9 test: ensure we pass with libxml 2.9.14
  • 9778c47 test: ensure tests pass when nokogiri uses system libxml2
  • 9c421f0 ci: add coverage for system libxml2
  • 984b82e ci: include coverage of ruby 3.1 and jruby 9.3
  • 18f2f2c test: finally use the CSS hex encoding originally intended
  • See full diff in compare view


Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • @dependabot-bot rebase will rebase this MR
  • @dependabot-bot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Allure report

allure-report-publisher generated test report!

rspec: test report for 27533e07

+------------------------------------------------------------------+
|                        behaviors summary                         |
+-------------+--------+--------+---------+-------+-------+--------+
|             | passed | failed | skipped | flaky | total | result |
+-------------+--------+--------+---------+-------+-------+--------+
| services    | 174    | 0      | 0       | 0     | 174   | ✅     |
| jobs        | 14     | 0      | 0       | 0     | 14    | ✅     |
| controllers | 25     | 0      | 0       | 0     | 25    | ✅     |
| models      | 3      | 0      | 0       | 0     | 3     | ✅     |
| tasks       | 8      | 0      | 0       | 0     | 8     | ✅     |
| system      | 10     | 0      | 0       | 0     | 10    | ✅     |
+-------------+--------+--------+---------+-------+-------+--------+
| Total       | 234    | 0      | 0       | 0     | 234   | ✅     |
+-------------+--------+--------+---------+-------+-------+--------+
Edited by George Koltsov

Merge request reports

Loading