VYPR
Moderate severityNVD Advisory· Published Dec 14, 2022· Updated Nov 3, 2025

Possible XSS vulnerability with certain configurations of rails-html-sanitizer

CVE-2022-23519

Description

rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways: allow both "math" and "style" elements, or allow both "svg" and "style" elements. Code is only impacted if allowed tags are being overridden. . This issue is fixed in version 1.4.4. All users overriding the allowed tags to include "math" or "svg" and "style" should either upgrade or use the following workaround immediately: Remove "style" from the overridden allowed tags, or remove "math" and "svg" from the overridden allowed tags.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rails-html-sanitizerRubyGems
< 1.4.41.4.4

Affected products

12

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.