VYPR
← All advisories
Low severityNVD Advisory· Published Dec 2, 2024· Updated Dec 11, 2024

Possible XSS vulnerability with certain configurations of rails-html-sanitizer 1.6.0

CVE-2024-53985

Description

rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8. The XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags with both "math" and "style" elements or both both "svg" and "style" elements. This vulnerability is fixed in 1.6.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVSS-unknown XSS in rails-html-sanitizer 1.6.0 when HTML5 sanitization is enabled and allowed tags include both "math" and "style" or both "svg" and "style".

Vulnerability

Description

CVE-2024-53985 is a cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem, version 1.6.0. The issue arises from a flaw in Nokogiri's HTML5 parsing—specifically, a "foreign style serialization" bug—that only manifests when the application uses HTML5 sanitization (configured via config.action_view.sanitizer_vendor or config.action_text.sanitizer_vendor) and has overridden the sanitizer's allowed tags to include both "math" and "style" or both "svg" and "style" elements [3]. The vulnerability is triggered because the combination of these foreign elements (math/svg) with style can bypass sanitization under certain Nokogiri versions [4].

Exploitation

Prerequisites

An attacker can exploit this vulnerability without authentication if the following conditions are met: the Rails application uses HTML5 sanitization, and the developer has customized the allowed tags to include the dangerous pairings (math+style or svg+style). The customization can occur through config.action_view.sanitized_allowed_tags, the :tags option in the sanitize helper, or by setting Rails::HTML5::SafeListSanitizer.allowed_tags [3]. The attack surface is any user-controlled input that is sanitized with these overridden settings, such as comments, rich-text editors, or form fields [2].

Impact

Successful exploitation allows an attacker to inject arbitrary HTML/JavaScript that bypasses the sanitizer, leading to reflected or stored XSS. This can result in session hijacking, cookie theft, defacement, or redirection to malicious sites. The vulnerable configurations are limited to Rails >= 7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8 [3].

Mitigation

The vulnerability is fixed in rails-html-sanitizer version 1.6.1. The fix updates the dependency on Nokogiri to version 1.15.7 or >= 1.16.8, which resolves the underlying parsing bug [3]. Applications should upgrade the gem immediately and ensure Nokogiri meets the required versions. If immediate upgrade is not possible, administrators can temporarily disable HTML5 sanitization or avoid allowing both "math"/"svg" and "style" in the allowed tags list [3].

References
  1. GitHub - rails/rails-html-sanitizer
  2. Possible XSS vulnerability with certain configurations of rails-html-sanitizer 1.6.0
  3. test: Nokogiri's HTML5 "foreign style serialization" issue · rails/rails-html-sanitizer@cd18b0e

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rails-html-sanitizerRubyGems
>= 1.6.0, < 1.6.11.6.1

Affected products

4

Patches

2
b0220b8850d5

dep: bump Nokogiri dependency to address the foreign style issue

https://github.com/rails/rails-html-sanitizerMike DalessioNov 30, 2024via ghsa
commit
3 files changed · +9 21
  • Gemfile+0 4 modified
    @@ -14,7 +14,3 @@ group :rubocop do
   gem "rubocop-performance", require: false
   gem "rubocop-rails", require: false
 end
-
-# specify gem versions for old rubies
-gem "nokogiri", ">= 1.7"
-gem "activesupport", ">= 5"
  • Gemfile.lock+4 14 modified
    @@ -3,7 +3,7 @@ PATH
   specs:
     rails-html-sanitizer (1.6.0)
       loofah (~> 2.21)
-      nokogiri (~> 1.14)
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
 
 GEM
   remote: https://rubygems.org/
@@ -34,18 +34,10 @@ GEM
     loofah (2.22.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
+    mini_portile2 (2.8.8)
     minitest (5.24.1)
-    nokogiri (1.16.7-aarch64-linux)
-      racc (~> 1.4)
-    nokogiri (1.16.7-arm-linux)
-      racc (~> 1.4)
-    nokogiri (1.16.7-arm64-darwin)
-      racc (~> 1.4)
-    nokogiri (1.16.7-x86-linux)
-      racc (~> 1.4)
-    nokogiri (1.16.7-x86_64-darwin)
-      racc (~> 1.4)
-    nokogiri (1.16.7-x86_64-linux)
+    nokogiri (1.16.8)
+      mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     parallel (1.26.2)
     parser (3.3.4.2)
@@ -98,9 +90,7 @@ PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
-  activesupport (>= 5)
   minitest
-  nokogiri (>= 1.7)
   rails-html-sanitizer!
   rake
   rubocop (>= 1.25.1)
  • rails-html-sanitizer.gemspec+5 3 modified
    @@ -26,8 +26,10 @@ Gem::Specification.new do |spec|
   spec.test_files    = Dir["test/**/*"]
   spec.require_paths = ["lib"]
 
-  # NOTE: There's no need to update dependencies for CVEs in minor releases
-  # when users can simply run `bundle update loofah`.
   spec.add_dependency "loofah", "~> 2.21"
-  spec.add_dependency "nokogiri", "~> 1.14"
+
+  # A fix was shipped in nokogiri v1.15.7 and v1.16.8 without which there is a vulnerability in this gem.
+  spec.add_dependency "nokogiri", [">=1.15.7",
+                                   "!=1.16.0", "!=1.16.0.rc1", "!=1.16.1", "!=1.16.2", "!=1.16.3",
+                                   "!=1.16.4", "!=1.16.5", "!=1.16.6", "!=1.16.7"]
 end
cd18b0ef00aa

test: Nokogiri's HTML5 "foreign style serialization" issue

https://github.com/rails/rails-html-sanitizerMike DalessioNov 30, 2024via ghsa
commit
1 file changed · +38 0
  • test/sanitizer_test.rb+38 0 modified
    @@ -976,6 +976,34 @@ def test_combination_of_svg_and_style_with_img_payload_2
       assert_includes(acceptable_results, actual)
     end
 
+    def test_combination_of_svg_and_style_with_escaped_img_payload
+      # https://hackerone.com/reports/2503220
+      input, tags = "<svg><style>&lt;img src onerror=alert(1)>", ["svg", "style"]
+      actual = safe_list_sanitize(input, tags: tags)
+      acceptable_results = [
+        # libxml2
+        "<svg><style>&amp;lt;img src onerror=alert(1)&gt;</style></svg>",
+        # libgumbo
+        "<svg><style>&lt;img src onerror=alert(1)&gt;</style></svg>",
+      ]
+
+      assert_includes(acceptable_results, actual)
+    end
+
+    def test_combination_of_math_and_style_with_escaped_img_payload
+      # https://hackerone.com/reports/2503220
+      input, tags = "<math><style>&lt;img src onerror=alert(1)>", ["math", "style"]
+      actual = safe_list_sanitize(input, tags: tags)
+      acceptable_results = [
+        # libxml2
+        "<math><style>&amp;lt;img src onerror=alert(1)&gt;</style></math>",
+        # libgumbo
+        "<math><style>&lt;img src onerror=alert(1)&gt;</style></math>",
+      ]
+
+      assert_includes(acceptable_results, actual)
+    end
+
     def test_should_sanitize_illegal_style_properties
       raw      = %(display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;)
       expected = %(display:block;width:100%;height:100%;background-color:black;background-x:center;background-y:center;)
@@ -1075,5 +1103,15 @@ class HTML4SafeListSanitizerTest < Minitest::Test
   class HTML5SafeListSanitizerTest < Minitest::Test
     @module_under_test = Rails::HTML5
     include SafeListSanitizerTest
+
+    def test_should_not_be_vulnerable_to_nokogiri_foreign_style_serialization_bug
+      # https://hackerone.com/reports/2503220
+      input = "<svg><style>&lt;img src onerror=alert(1)>"
+      result = Rails::HTML5::SafeListSanitizer.new.sanitize(input, tags: ["svg", "style"])
+      browser = Nokogiri::HTML5::Document.parse(result)
+      xss = browser.at_xpath("//img/@onerror")
+
+      assert_nil(xss)
+    end
   end if loofah_html5_support?
 end

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.