loofah is vulnerable to cross-site scripting. The vulnerability exists due to the lack of sanitization data urls in the image/svg+xml
parameter in safelist.rb
which allows a remote attacker to inject and execute malicious JavaScript into the system.
github.com/advisories/GHSA-228g-948r-83gx
github.com/flavorjones/loofah/commit/415677f3cf7f9254f42f811e784985cd63c7407f
github.com/flavorjones/loofah/issues/101
github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx
github.com/w3c/svgwg/issues/266
hackerone.com/reports/1694173
lists.debian.org/debian-lts-announce/2023/09/msg00011.html