Moderate severityNVD Advisory· Published May 16, 2022· Updated Aug 2, 2024
Code Injection in publify/publify
CVE-2022-0578
Description
Code Injection in GitHub repository publify/publify prior to 9.2.8.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
publify_coreRubyGems | < 9.2.8 | 9.2.8 |
Affected products
1- Range: unspecified
Patches
1b50df050c593Do not allow images in comments
2 files changed · +28 −1
publify_core/app/models/feedback.rb+5 −1 modified@@ -67,6 +67,10 @@ def self.paginated(page, per_page) page(page).per(per_page) end + def self.allowed_tags + @allowed_tags ||= Rails::Html::SafeListSanitizer.allowed_tags - ["img"] + end + def parent article end @@ -86,7 +90,7 @@ def permalink_url(_anchor = :ignored, only_path = false) def html_postprocess(_field, html) helper = ContentTextHelpers.new - helper.sanitize(helper.auto_link(html)) + helper.sanitize(helper.auto_link(html), tags: self.class.allowed_tags) end def correct_url
publify_core/spec/models/comment_spec.rb+23 −0 modified@@ -268,6 +268,29 @@ def valid_comment(options = {}) end end + context "with a comment containing some html" do + let(:comment) do + described_class.new do |c| + c.body = "Test <b>foo</b> <img src=\"https://eviloverlord.com/getmyip.jpg\">" + c.author = "Bob" + c.article = build_stubbed(:article, blog: blog) + end + end + + ["", "textile", "markdown", "smartypants", "markdown smartypants"].each do |filter| + it "rejects images but not formatting with filter '#{filter}'" do + blog.comment_text_filter = filter + + html = comment.html(:body) + + ActiveSupport::Deprecation.silence do + expect(html).not_to match(/<img/) + expect(html).to match(%r{<b>foo</b>}) + end + end + end + end + context "with a markdown comment with italic and bold" do let(:comment) { build(:comment, body: "Comment body _italic_ **bold**") } let(:blog) { comment.article.blog }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-w78q-4w34-jrjxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0578ghsaADVISORY
- github.com/publify/publify/commit/b50df050c593cc532b2c516792989bcfce2d73f7ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/publify_core/CVE-2022-0578.ymlghsaWEB
- huntr.dev/bounties/02c81928-eb47-476f-8000-e93dc796dbccghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.