CVE-2022-32209.yml

---
gem: rails-html-sanitizer
cve: 2022-32209
ghsa: pg8v-g4xq-hww9
url: https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s
title: Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
date: 2022-06-09
description: |
  There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
  This vulnerability has been assigned the CVE identifier CVE-2022-32209.

  Versions Affected: ALL
  Not affected: NONE
  Fixed Versions: v1.4.3

  ## Impact

  A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
  may allow an attacker to inject content if the application developer has overridden
  the sanitizer's allowed tags to allow both `select` and `style` elements.

  Code is only impacted if allowed tags are being overridden. This may be done via
  application configuration:

  ```ruby
  # In config/application.rb
  config.action_view.sanitized_allowed_tags = ["select", "style"]
  ```

  see https://guides.rubyonrails.org/configuring.html#configuring-action-view

  Or it may be done with a `:tags` option to the Action View helper `sanitize`:

  ```
  <%= sanitize @comment.body, tags: ["select", "style"] %>
  ```

  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

  Or it may be done with Rails::Html::SafeListSanitizer directly:

  ```ruby
  # class-level option
  Rails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]
  ```

  or

  ```ruby
  # instance-level option
  Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])
  ```

  All users overriding the allowed tags by any of the above mechanisms to include
  both "select" and "style" should either upgrade or use one of the workarounds immediately.

  ## Workarounds

  Remove either `select` or `style` from the overridden allowed tags.
cvss_v3: 6.1
patched_versions:
  - ">= 1.4.3"