Package Instance

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Sanitize is an allowlist-based HTML and CSS sanitizer. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize starting with version 3.0.0 and prior to version 6.0.2 when Sanitize is configured to use the built-in "relaxed" config or when using a custom config that allows `style` elements and one or more CSS at-rules. This could result in cross-site scripting or other undesired behavior when the malicious HTML and CSS are rendered in a browser. Sanitize 6.0.2 performs additional escaping of CSS in `style` element content, which fixes this issue. Users who are unable to upgrade can prevent this issue by using a Sanitize config that does not allow `style` elements, using a Sanitize config that does not allow CSS at-rules, or by manually escaping the character sequence `</` as `<\/` in `style` element content.

Cross-site scripting vulnerability via `<math>` or `<svg>` element in Sanitize
When HTML is sanitized using Sanitize's "relaxed" config or a custom config that allows certain
elements, some content in a `<math>` or `<svg>` element may not be sanitized correctly even if
`math` and `svg` are not in the allowlist.

You are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom
config that allows one or more of the following HTML elements:

- `iframe`
- `math`
- `noembed`
- `noframes`
- `noscript`
- `plaintext`
- `script`
- `style`
- `svg`
- `xmp`

### Impact

Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize,
potentially resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is
rendered in a browser.

### Releases

This problem has been fixed in Sanitize 5.2.1.

### Workarounds

If upgrading is not possible, a workaround is to override the default value of Sanitize's
`:remove_contents` config option with the following value, which ensures that the contents of
`math` and `svg` elements (among others) are removed entirely when those elements are not in the
allowlist:

```ruby
%w[iframe math noembed noframes noscript plaintext script style svg xmp]
```

For example, if you currently use Sanitize's relaxed config, you can create a custom config
object that overrides the default value of `:remove_contents` like this:

```ruby
custom_config = Sanitize::Config.merge(
  Sanitize::Config::RELAXED,
  :remove_contents => %w[iframe math noembed noframes noscript plaintext script style svg xmp]
)
```

You would then pass this custom config to Sanitize when sanitizing HTML.

HTML injection/XSS
When sanitize is used in combination with libxml2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing attributes that are not specified in the allowlist to be used. This can allow HTML and JavaScript injection, which could result in XSS if the output is served to browsers.

HTML injection/XSS
When sanitize is used in combination with libxml2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing attributes that are not specified in the allowlist to be used. This can allow HTML and JavaScript injection, which could result in XSS if the output is served to browsers.