Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 19 Mar 2018 19:50:42 -0700
From: Ryan Grove <>
Subject: Sanitize <= 4.6.2 HTML injection and XSS

Sanitize is a Ruby library that removes unacceptable HTML and CSS from a string based on a whitelist. Versions 4.6.2 and below contain an HTML injection vulnerability that allows XSS.

Details are included below, and can also be found at: 


# Sanitize XSS vulnerability

This is a public disclosure of an HTML injection vulnerability in Sanitize that could allow XSS. I’d like to thank the Shopify Application Security Team for responsibly reporting this vulnerability.

## Description

A specially crafted HTML fragment can cause Sanitize to allow non-whitelisted attributes to be used on a whitelisted HTML element.

## Affected Versions

Sanitize < 4.6.3, but only in combination with libxml2 >= 2.9.2

## Mitigation

Upgrade to Sanitize 4.6.3.

## History of this vulnerability

- 2018-03-19: Reported by Shopify Application Security Team via email
- 2018-03-19: Sanitize 4.6.3 released with a fix
- 2018-03-19: Initial vulnerability report published

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ