Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update rails-html-sanitizer (CVE-2018-3741) #1731

Merged
merged 1 commit into from
Mar 26, 2018

Conversation

robbkidd
Copy link
Contributor

Addresses CVE-2018-3741:

There is a possible XSS vulnerability in rails-html-sanitizer. The
gem allows non-whitelisted attributes to be present in sanitized
output when input with specially-crafted HTML fragments, and these
attributes can lead to an XSS attack on target applications.

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
Addresses CVE-2018-3741[1]:

> There is a possible XSS vulnerability in rails-html-sanitizer.  The
> gem allows non-whitelisted attributes to be present in sanitized
> output when input with specially-crafted HTML fragments, and these
> attributes can lead to an XSS attack on target applications.

[1] https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ

Signed-off-by: Robb Kidd <rkidd@chef.io>
@robbkidd robbkidd requested a review from a team March 26, 2018 17:30
@robbkidd robbkidd merged commit a22571e into master Mar 26, 2018
@robbkidd robbkidd deleted the robb/update-rails-html-sanitizer branch March 26, 2018 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

1 participant