Package Instance

Loofah Allows Cross-site Scripting
In the Loofah gem for Ruby through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Improper detection of disallowed URIs by Loofah `allowed_uri?`
## Summary

`Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject `javascript:` URIs when the scheme is split by HTML entity-encoded control characters such as `
` (carriage return), `
` (line feed), or `	` (tab).

## Details

The `allowed_uri?` method strips literal control characters before decoding HTML entities. Payloads like `java
script:alert(1)` survive the control character strip, then `
` is decoded to a carriage return, producing `java\rscript:alert(1)`.

Note that the Loofah sanitizer's default `sanitize()` path is **not affected** because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the `allowed_uri?` string-level helper when passing HTML-encoded strings.

## Impact

Applications that call `Loofah::HTML5::Scrub.allowed_uri?` to validate user-controlled URLs and then render approved URLs into `href` or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS).

This only affects Loofah `2.25.0`.

## Mitigation

Upgrade to Loofah >= `2.25.1`.

## Credit

Responsibly reported by HackOne user `@smlee`.

Cross-site Scripting
In the Loofah gem for Ruby, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Inefficient Regular Expression Complexity in Loofah
## Summary

Loofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.


## Mitigation

Upgrade to Loofah `>= 2.19.1`.


## Severity

The Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).


## References

- [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html)
- https://hackerone.com/reports/1684163


## Credit

This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
In the Loofah gem for Ruby, denylisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment.

Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
## Summary

rails-html-sanitizer `>= 1.0.3, < 1.4.4` is vulnerable to cross-site scripting via data URIs when used in combination with Loofah `>= 2.1.0`.


## Mitigation

Upgrade to rails-html-sanitizer `>= 1.4.4`.


## Severity

The maintainers have evaluated this as [Medium Severity 6.1](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).


## References

- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)
- [SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg](https://github.com/w3c/svgwg/issues/266)
- https://github.com/rails/rails-html-sanitizer/issues/135
- https://hackerone.com/reports/1694173


## Credit

This vulnerability was independently reported by Maciej Piechota (@haqpl) and Mrinmoy Das (@goromlagche).