Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Description
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways: allow both "math" and "style" elements, or allow both "svg" and "style" elements. Code is only impacted if allowed tags are being overridden. . This issue is fixed in version 1.4.4. All users overriding the allowed tags to include "math" or "svg" and "style" should either upgrade or use the following workaround immediately: Remove "style" from the overridden allowed tags, or remove "math" and "svg" from the overridden allowed tags.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A cross-site scripting (XSS) vulnerability in rails-html-sanitizer allows attackers to inject content when both 'math' or 'svg' and 'style' tags are allowed.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in rails-html-sanitizer versions prior to 1.4.4. The vulnerability occurs when an application developer overrides the sanitizer's allowed tags to include both "math" or "svg" and "style" elements. This specific combination can lead to the injection of malicious content [1].
Exploitation
Exploitation requires that the application developer has modified the default allowed tags via configuration files, the sanitize helper's :tags option, or through the Rails::Html::SafeListSanitizer class. No authentication is needed if user-supplied input is sanitized using these overrides [2]. An attacker can provide crafted HTML containing the allowed tags to bypass sanitization.
Impact
Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript, leading to XSS attacks. This can result in session hijacking, defacement, or theft of sensitive information [3].
Mitigation
The vulnerability is fixed in version 1.4.4. Users who cannot upgrade should immediately remove "style" from the overridden allowed tags, or remove "math" and "svg" from the overridden allowed tags [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rails-html-sanitizerRubyGems | < 1.4.4 | 1.4.4 |
Affected products
12- ghsa-coords11 versionspkg:gem/rails-html-sanitizerpkg:rpm/opensuse/rubygem-rails-html-sanitizer&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/rubygem-rails-html-sanitizer&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/rubygem-rails-html-sanitizer&distro=openSUSE%20Tumbleweedpkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP5pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/rubygem-rails-html-sanitizer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 1.4.4+ 10 more
- (no CPE)range: < 1.4.4
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.5.0-1.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.4-150000.4.6.1
- (no CPE)range: < 1.0.3-8.14.1
- (no CPE)range: < 1.0.3-8.14.1
- rails/rails-html-sanitizerv5Range: < 1.4.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-9h9g-93gc-623hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23519ghsaADVISORY
- github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623hghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23519.ymlghsaWEB
- hackerone.com/reports/1656627ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2023/09/msg00012.htmlghsaWEB
- lists.debian.org/debian-lts-announce/2024/09/msg00045.htmlghsaWEB
News mentions
0No linked articles in our index yet.