rails-html-sanitizer is vulnerable to regular expression denial of service. The vulnerability exists due to the insecure regex pattern used for the attr_node.value
attribute in the scrub_attributes
function of scrubbers.rb
, allowing an attacker to crash the application by providing malicious SVG attributes.
github.com/advisories/GHSA-5x79-w82f-gw8w
github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979
github.com/rails/rails-html-sanitizer/commit/f0e33477a0557dbdbefc3e470c7df3a64efb002a
github.com/rails/rails-html-sanitizer/pull/147
github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w
hackerone.com/reports/1684163
lists.debian.org/debian-lts-announce/2023/09/msg00012.html