VulnerableCode Package Details - pkg:rpm/redhat/rubygem-rails-html-sanitizer@1.4.3-2?arch=el8sat

Search for packages

Vulnerability	Summary	Fixed by
VCID-ete9-xwuw-puf8 Aliases: CVE-2022-32209 GHSA-pg8v-g4xq-hww9	Rails::Html::Sanitizer vulnerable to Cross-site Scripting Versions of Rails::Html::Sanitizer prior to version 1.4.3 are vulnerable to XSS with certain configurations of Rails::Html::Sanitizer which allows an attacker to inject content when the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements. Code is only impacted if allowed tags are being overridden. This may be done via application configuration: ```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]``` see https://guides.rubyonrails.org/configuring.html#configuring-action-view Or it may be done with a `:tags` option to the Action View helper `sanitize`: ```<%= sanitize @comment.body, tags: ["select", "style"] %>``` see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize It may also be done with Rails::Html::SafeListSanitizer directly: ```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]``` or with ```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])``` All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" are recommended to upgrade immediately. A workaround for this issue can be applied by removing either `select` or `style` from the overridden allowed tags.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-ete9-xwuw-puf8
Aliases:
CVE-2022-32209
GHSA-pg8v-g4xq-hww9

Rails::Html::Sanitizer vulnerable to Cross-site Scripting Versions of Rails::Html::Sanitizer prior to version 1.4.3 are vulnerable to XSS with certain configurations of Rails::Html::Sanitizer which allows an attacker to inject content when the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements. Code is only impacted if allowed tags are being overridden. This may be done via application configuration: ```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]``` see https://guides.rubyonrails.org/configuring.html#configuring-action-view Or it may be done with a `:tags` option to the Action View helper `sanitize`: ```<%= sanitize @comment.body, tags: ["select", "style"] %>``` see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize It may also be done with Rails::Html::SafeListSanitizer directly: ```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]``` or with ```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])``` All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" are recommended to upgrade immediately. A workaround for this issue can be applied by removing either `select` or `style` from the overridden allowed tags.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:58:07.816828+00:00	RedHat Importer	Affected by	VCID-ete9-xwuw-puf8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32209.json	38.0.0

2026-04-01T13:58:07.816828+00:00

RedHat Importer

Affected by

VCID-ete9-xwuw-puf8

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-32209.json

38.0.0

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	3.1