VYPR
← All advisories
High severityNVD Advisory· Published Jul 6, 2023· Updated Feb 13, 2025

Sanitize vulnerable to Cross-site Scripting via insufficient neutralization of `style` element content

CVE-2023-36823

Description

Sanitize is an allowlist-based HTML and CSS sanitizer. Using carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize starting with version 3.0.0 and prior to version 6.0.2 when Sanitize is configured to use the built-in "relaxed" config or when using a custom config that allows style elements and one or more CSS at-rules. This could result in cross-site scripting or other undesired behavior when the malicious HTML and CSS are rendered in a browser. Sanitize 6.0.2 performs additional escaping of CSS in style element content, which fixes this issue. Users who are unable to upgrade can prevent this issue by using a Sanitize config that doesn't allow style elements, using a Sanitize config that doesn't allow CSS at-rules, or by manually escaping the character sequence </ as <\/ in style element content.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Sanitize versions 3.0.0 to 6.0.1 allow bypassing HTML/CSS sanitization via crafted input when style elements and CSS at-rules are allowed, leading to XSS; fixed in 6.0.2.

Sanitize, a Ruby HTML and CSS sanitizer, contains a vulnerability in versions 3.0.0 through 6.0.1 that allows an attacker to bypass sanitization when the built-in 'relaxed' config or a custom config permitting style elements and CSS at-rules is used. The root cause is insufficient escaping of CSS content within style elements, enabling injection of arbitrary HTML and CSS [1][2].

Exploitation requires the application to use a vulnerable configuration. An attacker can craft input that, when sanitized, includes malicious CSS that escapes the style element's context, leading to cross-site scripting (XSS) when rendered in a browser [2][3].

Successful exploitation results in arbitrary code execution in the user's browser, potentially leading to data theft, session hijacking, or other malicious actions. The vulnerability is rated with a CVSS score indicating high severity [2].

The issue is fixed in Sanitize version 6.0.2, which adds additional escaping of CSS in style element content [3]. Users unable to upgrade can mitigate by avoiding configurations that allow style elements or CSS at-rules, or by manually escaping the </ sequence as </ in style content [2].

References
  1. GitHub - rgrove/sanitize: Ruby HTML and CSS sanitizer.
  2. NVD - CVE-2023-36823
  3. Release v6.0.2 · rgrove/sanitize

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
sanitizeRubyGems
>= 3.0.0, < 6.0.26.0.2

Affected products

2
  • ghsa-coords
    pkg:gem/sanitize
    Range: >= 3.0.0, < 6.0.2
  • rgrove/sanitizev5
    Range: >= 3.0.0, < 6.0.2

Patches

1
76ed46e6dc70

Merge pull request from GHSA-f5ww-cq3m-q3g7

https://github.com/rgrove/sanitizeRyan GroveJul 6, 2023via ghsa
commit
4 files changed · +32 3
  • HISTORY.md+17 0 modified
    @@ -1,5 +1,22 @@
 # Sanitize History
 
+## 6.0.2 (2023-07-06)
+
+### Bug Fixes
+
+* CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS
+  (cross-site scripting). This issue affects Sanitize versions 3.0.0 through
+  6.0.1.
+
+  When using Sanitize's relaxed config or a custom config that allows `<style>`
+  elements and one or more CSS at-rules, carefully crafted input could be used
+  to sneak arbitrary HTML through Sanitize.
+
+  See the following security advisory for additional details:
+  [GHSA-f5ww-cq3m-q3g7](https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7)
+
+  Thanks to @cure53 for finding this issue.
+
 ## 6.0.1 (2023-01-27)
 
 ### Bug Fixes
  • lib/sanitize/transformers/clean_css.rb+1 0 modified
    @@ -48,6 +48,7 @@ def call(env)
     if css.strip.empty?
       node.unlink
     else
+      css.gsub!('</', '<\/')
       node.children.unlink
       node << Nokogiri::XML::Text.new(css, node.document)
     end
  • lib/sanitize/version.rb+1 3 modified
    @@ -1,5 +1,3 @@
-# encoding: utf-8
-
 class Sanitize
-  VERSION = '6.0.1'
+  VERSION = '6.0.2'
 end
  • test/test_malicious_css.rb+13 0 modified
    @@ -39,4 +39,17 @@
   it 'should not allow behaviors' do
     _(@s.properties(%[behavior: url(xss.htc);])).must_equal ''
   end
+
+  describe 'sanitization bypass via CSS at-rule in HTML <style> element' do
+    before do
+      @s = Sanitize.new(Sanitize::Config::RELAXED)
+    end
+
+    it 'is not possible to prematurely end a <style> element' do
+      assert_equal(
+        %[<style>@media<\\/style><iframe srcdoc='<script>alert(document.domain)<\\/script>'>{}</style>],
+        @s.fragment(%[<style>@media</sty/**/le><iframe srcdoc='<script>alert(document.domain)</script>'></style>])
+      )
+    end
+  end
 end

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.