VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 30, 2018· Updated Aug 5, 2024

CVE-2018-3741

CVE-2018-3741

Description

There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

XSS vulnerability in rails-html-sanitizer <1.0.4 allows non-whitelisted attributes in sanitized output, leading to cross-site scripting.

Vulnerability

The rails-html-sanitizer gem versions before 1.0.4 for Ruby fail to properly sanitize non-whitelisted attributes in specially-crafted HTML fragments, allowing them to persist in sanitized output. This issue is similar to CVE-2018-8048 in Loofah [1][2].

Exploitation

An attacker can craft an HTML fragment containing non-whitelisted attributes (e.g., via URI escaping tricks) that bypasses the sanitizer's filters [3]. No special privileges are required; the attacker only needs to inject malicious input into a Rails application that uses the sanitizer, such as through user comments or form fields.

Impact

Successful exploitation leads to stored or reflected cross-site scripting (XSS), allowing arbitrary JavaScript execution in the victim's browser session within the context of the target application.

Mitigation

Upgrade to rails-html-sanitizer version 1.0.4 or later, which includes proper URI escaping to prevent attribute injection [3]. If an immediate upgrade is not possible, application-level input validation or disabling the sanitizer for untrusted input may be used as workarounds.

References
  1. GitHub - rails/rails-html-sanitizer
  2. NVD - CVE-2018-3741
  3. Make sure we address CVE-2018-8048 · rails/rails-html-sanitizer@f3ba1a8

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rails-html-sanitizerRubyGems
< 1.0.41.0.4

Affected products

8

Patches

1
f3ba1a839a35

Make sure we address CVE-2018-8048

https://github.com/rails/rails-html-sanitizerRafael Mendonça FrançaMar 21, 2018via ghsa
commit
3 files changed · +37 3
  • lib/rails/html/scrubbers.rb+2 0 modified
    @@ -153,6 +153,8 @@ def scrub_attribute(node, attr_node)
         end
 
         node.remove_attribute(attr_node.name) if attr_name == 'src' && attr_node.value !~ /[^[:space:]]/
+
+        Loofah::HTML5::Scrub.force_correct_attribute_escaping! node
       end
     end
  • rails-html-sanitizer.gemspec+1 1 modified
    @@ -17,7 +17,7 @@ Gem::Specification.new do |spec|
   spec.test_files    = Dir["test/**/*"]
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "loofah", "~> 2.0"
+  spec.add_dependency "loofah", "~> 2.2", ">= 2.2.2"
 
   spec.add_development_dependency "bundler", "~> 1.3"
   spec.add_development_dependency "rake"
  • test/sanitizer_test.rb+34 2 modified
    @@ -385,13 +385,13 @@ def test_should_sanitize_attributes
 
   def test_should_sanitize_illegal_style_properties
     raw      = %(display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;)
-    expected = %(display: block; width: 100%; height: 100%; background-color: black; background-x: center; background-y: center;)
+    expected = %(display:block;width:100%;height:100%;background-color:black;background-x:center;background-y:center;)
     assert_equal expected, sanitize_css(raw)
   end
 
   def test_should_sanitize_with_trailing_space
     raw = "display:block; "
-    expected = "display: block;"
+    expected = "display:block;"
     assert_equal expected, sanitize_css(raw)
   end
 
@@ -484,6 +484,38 @@ def test_allow_data_attribute_if_requested
     assert_equal %(<a data-foo="foo">foo</a>), white_list_sanitize(text, attributes: ['data-foo'])
   end
 
+  def test_uri_escaping_of_href_attr_in_a_tag_in_white_list_sanitizer
+    html = %{<a href='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
+
+    text = white_list_sanitize(html)
+
+    assert_equal %{<a href="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+  end
+
+  def test_uri_escaping_of_src_attr_in_a_tag_in_white_list_sanitizer
+    html = %{<a src='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
+
+    text = white_list_sanitize(html)
+
+    assert_equal %{<a src="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+  end
+
+  def test_uri_escaping_of_name_attr_in_a_tag_in_white_list_sanitizer
+    html = %{<a name='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
+
+    text = white_list_sanitize(html)
+
+    assert_equal %{<a name="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+  end
+
+  def test_uri_escaping_of_name_action_in_a_tag_in_white_list_sanitizer
+    html = %{<a action='examp<!--" unsafeattr=foo()>-->le.com'>test</a>}
+
+    text = white_list_sanitize(html, attributes: ['action'])
+
+    assert_equal %{<a action="examp<!--%22%20unsafeattr=foo()>-->le.com">test</a>}, text
+  end
+
 protected
 
   def xpath_sanitize(input, options = {})

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.