rails-html-sanitizer is vulnerable to cross site scripting. The vulnerability exists in the scrub_attribute
function of scrubbers.rb
when the data URIs are used in combination with loofah.
github.com/advisories/GHSA-mcvf-2q2m-x72m
github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4
github.com/rails/rails-html-sanitizer/issues/135
github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m
hackerone.com/reports/1694173
lists.debian.org/debian-lts-announce/2023/09/msg00012.html