Vulnerabilities affecting this package (1)
| Vulnerability |
Summary |
Fixed by |
VCID-amsh-qpt1-9qb7
Aliases:
GHSA-46fp-8f5p-pf2m
|
Improper detection of disallowed URIs by Loofah `allowed_uri?`
## Summary
`Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject `javascript:` URIs when the scheme is split by HTML entity-encoded control characters such as ` ` (carriage return), ` ` (line feed), or `	` (tab).
## Details
The `allowed_uri?` method strips literal control characters before decoding HTML entities. Payloads like `java script:alert(1)` survive the control character strip, then ` ` is decoded to a carriage return, producing `java\rscript:alert(1)`.
Note that the Loofah sanitizer's default `sanitize()` path is **not affected** because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the `allowed_uri?` string-level helper when passing HTML-encoded strings.
## Impact
Applications that call `Loofah::HTML5::Scrub.allowed_uri?` to validate user-controlled URLs and then render approved URLs into `href` or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS).
This only affects Loofah `2.25.0`.
## Mitigation
Upgrade to Loofah >= `2.25.1`.
## Credit
Responsibly reported by HackOne user `@smlee`.
|
There are no reported fixed by versions.
|
Vulnerabilities fixed by this package (2)
| Vulnerability |
Summary |
Aliases |
|
VCID-amsh-qpt1-9qb7
|
Improper detection of disallowed URIs by Loofah `allowed_uri?`
## Summary
`Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject `javascript:` URIs when the scheme is split by HTML entity-encoded control characters such as ` ` (carriage return), ` ` (line feed), or `	` (tab).
## Details
The `allowed_uri?` method strips literal control characters before decoding HTML entities. Payloads like `java script:alert(1)` survive the control character strip, then ` ` is decoded to a carriage return, producing `java\rscript:alert(1)`.
Note that the Loofah sanitizer's default `sanitize()` path is **not affected** because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the `allowed_uri?` string-level helper when passing HTML-encoded strings.
## Impact
Applications that call `Loofah::HTML5::Scrub.allowed_uri?` to validate user-controlled URLs and then render approved URLs into `href` or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS).
This only affects Loofah `2.25.0`.
## Mitigation
Upgrade to Loofah >= `2.25.1`.
## Credit
Responsibly reported by HackOne user `@smlee`.
|
GHSA-46fp-8f5p-pf2m
|
|
VCID-qz71-ek2u-8ybh
|
Loofah has improper detection of disallowed URIs via `allowed_uri?`
## Summary
`Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject `javascript:` URIs when the scheme is split by HTML entity-encoded control characters such as ` ` (carriage return), ` ` (line feed), or `	` (tab).
## Details
The `allowed_uri?` method strips literal control characters before decoding HTML entities. Payloads like `java script:alert(1)` survive the control character strip, then ` ` is decoded to a carriage return, producing `java\rscript:alert(1)`.
Note that the Loofah sanitizer's default `sanitize()` path is **not affected** because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the `allowed_uri?` string-level helper when passing HTML-encoded strings.
## Impact
Applications that call `Loofah::HTML5::Scrub.allowed_uri?` to validate user-controlled URLs and then render approved URLs into `href` or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS).
This only affects Loofah `2.25.0`.
## Mitigation
Upgrade to Loofah >= `2.25.1`.
## Credit
Responsibly reported by HackOne user @smlee.
|
GHSA-2j22-pr5w-6gq8
|