rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions >= 1.0.3, < 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah >= 2.1.0. This issue is patched in version 1.4.4.
Metrics
Affected Vendors & Products
Advisories
Source | ID | Title |
---|---|---|
![]() |
DLA-3566-1 | ruby-rails-html-sanitizer security update |
![]() |
DLA-3902-1 | ruby-rails-html-sanitizer security update |
![]() |
EUVD-2022-7685 | rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions >= 1.0.3, < 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah >= 2.1.0. This issue is patched in version 1.4.4. |
![]() |
GHSA-mcvf-2q2m-x72m | Improper neutralization of data URIs may allow XSS in rails-html-sanitizer |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Sat, 12 Jul 2025 13:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
epss
|
epss
|

Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2025-02-13T16:32:17.595Z
Reserved: 2022-01-19T21:23:53.779Z
Link: CVE-2022-23518

No data.

Status : Modified
Published: 2022-12-14T17:15:10.713
Modified: 2024-11-21T06:48:43.957
Link: CVE-2022-23518


No data.