VulnerableCode Package Details - pkg:deb/debian/ruby-rails-html-sanitizer@1.4.3-0.1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-ete9-xwuw-puf8	Rails::Html::Sanitizer vulnerable to Cross-site Scripting Versions of Rails::Html::Sanitizer prior to version 1.4.3 are vulnerable to XSS with certain configurations of Rails::Html::Sanitizer which allows an attacker to inject content when the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements. Code is only impacted if allowed tags are being overridden. This may be done via application configuration: ```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]``` see https://guides.rubyonrails.org/configuring.html#configuring-action-view Or it may be done with a `:tags` option to the Action View helper `sanitize`: ```<%= sanitize @comment.body, tags: ["select", "style"] %>``` see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize It may also be done with Rails::Html::SafeListSanitizer directly: ```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]``` or with ```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])``` All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" are recommended to upgrade immediately. A workaround for this issue can be applied by removing either `select` or `style` from the overridden allowed tags.	CVE-2022-32209 GHSA-pg8v-g4xq-hww9

Vulnerability

Summary

Aliases

VCID-ete9-xwuw-puf8

Rails::Html::Sanitizer vulnerable to Cross-site Scripting Versions of Rails::Html::Sanitizer prior to version 1.4.3 are vulnerable to XSS with certain configurations of Rails::Html::Sanitizer which allows an attacker to inject content when the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements. Code is only impacted if allowed tags are being overridden. This may be done via application configuration: ```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]``` see https://guides.rubyonrails.org/configuring.html#configuring-action-view Or it may be done with a `:tags` option to the Action View helper `sanitize`: ```<%= sanitize @comment.body, tags: ["select", "style"] %>``` see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize It may also be done with Rails::Html::SafeListSanitizer directly: ```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]``` or with ```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])``` All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" are recommended to upgrade immediately. A workaround for this issue can be applied by removing either `select` or `style` from the overridden allowed tags.

CVE-2022-32209
GHSA-pg8v-g4xq-hww9

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T08:55:29.531638+00:00	Debian Importer	Fixing	VCID-ete9-xwuw-puf8	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-11T17:59:22.980377+00:00	Debian Importer	Fixing	VCID-ete9-xwuw-puf8	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:52:22.055376+00:00	Debian Importer	Fixing	VCID-ete9-xwuw-puf8	https://security-tracker.debian.org/tracker/data/json	38.1.0