Improper neutralization of data URIs allows XSS in rails-html-sanitizer
Description
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions >= 1.0.3, < 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah >= 2.1.0. This issue is patched in version 1.4.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
rails-html-sanitizer fails to properly sanitize data URIs, allowing XSS via base64 encoded scripts when used with Loofah >=2.1.0.
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions >=1.0.3, <1.4.4 are vulnerable to cross-site scripting (XSS) via data URIs when used in combination with Loofah >=2.1.0 [1][4]. The root cause is a divergence in the PermitScrubber class, which does not properly validate data URIs, unlike Loofah's scrubber that includes a safe data URI check [4].
An attacker can exploit this by crafting an HTML fragment containing an ` with a src attribute set to a data URI, such as data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=` [4]. The sanitizer fails to remove or escape the data URI, allowing the base64-encoded JavaScript to execute in the victim's browser. This attack does not require authentication and can be triggered by submitting unsanitized user input [4].
Successful exploitation leads to arbitrary JavaScript execution in the context of the user's session, potentially allowing theft of cookies, session tokens, or other sensitive information, or performing actions on behalf of the victim [1].
The issue is patched in rails-html-sanitizer version 1.4.4 [1]. Users are advised to upgrade immediately. No workaround is available for older versions.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rails-html-sanitizerRubyGems | >= 1.0.3, < 1.4.4 | 1.4.4 |
Affected products
12- ghsa-coords11 versionspkg:gem/rails-html-sanitizerpkg:rpm/opensuse/rubygem-rails-html-sanitizer&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/rubygem-rails-html-sanitizer&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/rubygem-rails-html-sanitizer&distro=openSUSE%20Tumbleweedpkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP5pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
>= 1.0.3, < 1.4.4+ 10 more
- (no CPE)range: >= 1.0.3, < 1.4.4
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.5.0-1.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.3-8.14.1
- (no CPE)range: < 1.0.3-8.14.1
- rails/rails-html-sanitizerv5Range: >= 1.0.3, < 1.4.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-mcvf-2q2m-x72mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23518ghsaADVISORY
- github.com/rails/rails-html-sanitizer/issues/135ghsax_refsource_MISCWEB
- github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72mghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23518.ymlghsaWEB
- github.com/w3c/svgwg/issues/266ghsaWEB
- hackerone.com/reports/1694173ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2023/09/msg00012.htmlghsaWEB
- lists.debian.org/debian-lts-announce/2024/09/msg00045.htmlghsaWEB
News mentions
0No linked articles in our index yet.