VYPR
← All advisories
Low severityNVD Advisory· Published Dec 2, 2024· Updated Dec 3, 2024

Possible XSS vulnerability with certain configurations of rails-html-sanitizer 1.6.0

CVE-2024-53989

Description

rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags for the the "noscript" element. This vulnerability is fixed in 1.6.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

rails-html-sanitizer 1.6.0 has an XSS vulnerability when HTML5 sanitization is enabled and 'noscript' is allowed; fixed in 1.6.1.

Vulnerability

Overview rails-html-sanitizer 1.6.0, when used with Rails >= 7.1.0 and HTML5 sanitization enabled, contains a possible XSS vulnerability. The issue arises when an application developer overrides the sanitizer's allowed tags to include the "noscript" element. Under these conditions, the sanitizer fails to properly neutralize malicious content within the noscript tag, leading to potential script injection [2][3].

Exploitation

Prerequisites Exploitation requires that the application uses HTML5 sanitization (config.action_view.sanitizer_vendor or config.action_text.sanitizer_vendor set to HTML5) and that the developer has explicitly allowed the "noscript" tag. This can happen via application configuration, the sanitize helper's :tags option, or by setting Rails::HTML5::SafeListSanitizer.allowed_tags [3]. An attacker can then inject HTML or JavaScript within a noscript element that bypasses sanitization.

Impact

If successfully exploited, an attacker can achieve cross-site scripting (XSS), allowing them to execute arbitrary JavaScript in the context of the victim's browser. This could lead to session hijacking, data theft, or defacement [2].

Mitigation

The vulnerability is fixed in rails-html-sanitizer version 1.6.1. Users should upgrade immediately. As a workaround, developers should avoid allowing the "noscript" element in their sanitizer configurations [3].

References
  1. NVD - CVE-2024-53989
  2. Possible XSS vulnerability with certain configurations of rails-html-sanitizer 1.6.0

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rails-html-sanitizerRubyGems
>= 1.6.0, < 1.6.11.6.1

Affected products

4

Patches

1
16251735e36e

fix: disallow 'noscript' from safe lists

https://github.com/rails/rails-html-sanitizerMike DalessioNov 30, 2024via ghsa
commit
3 files changed · +49 0
  • lib/rails/html/scrubbers.rb+6 0 modified
    @@ -134,6 +134,12 @@ def validate!(var, name)
           if var && !var.is_a?(Enumerable)
             raise ArgumentError, "You should pass :#{name} as an Enumerable"
           end
+
+          if var && name == :tags && var.include?("noscript")
+            warn("WARNING: 'noscript' tags cannot be allowed by the PermitScrubber and will be scrubbed")
+            var.delete("noscript")
+          end
+
           var
         end
  • test/sanitizer_test.rb+35 0 modified
    @@ -1026,6 +1026,24 @@ def test_should_sanitize_across_newlines
       assert_equal "", sanitize_css(raw)
     end
 
+    def test_should_prune_noscript
+      # https://hackerone.com/reports/2509647
+      input, tags = "<div><noscript><p id='</noscript><script>alert(1)</script>'></noscript>", ["p", "div", "noscript"]
+      actual = nil
+      assert_output(nil, /WARNING: 'noscript' tags cannot be allowed by the PermitScrubber/) do
+        actual = safe_list_sanitize(input, tags: tags, attributes: %w(id))
+      end
+
+      acceptable_results = [
+        # libxml2
+        "<div><p id=\"&lt;/noscript&gt;&lt;script&gt;alert(1)&lt;/script&gt;\"></p></div>",
+        # libgumbo
+        "<div><p id=\"</noscript><script>alert(1)</script>\"></p></div>",
+      ]
+
+      assert_includes(acceptable_results, actual)
+    end
+
     protected
       def safe_list_sanitize(input, options = {})
         module_under_test::SafeListSanitizer.new.sanitize(input, options)
@@ -1075,5 +1093,22 @@ class HTML4SafeListSanitizerTest < Minitest::Test
   class HTML5SafeListSanitizerTest < Minitest::Test
     @module_under_test = Rails::HTML5
     include SafeListSanitizerTest
+
+    def test_should_not_be_vulnerable_to_noscript_attacks
+      # https://hackerone.com/reports/2509647
+      skip("browser assertion requires parse_noscript_content_as_text") unless Nokogiri::VERSION >= "1.17"
+
+      input = '<noscript><p id="</noscript><script>alert(1)</script>"></noscript>'
+
+      result = nil
+      assert_output(nil, /WARNING/) do
+        result = Rails::HTML5::SafeListSanitizer.new.sanitize(input, tags: %w(p div noscript), attributes: %w(id class style))
+      end
+
+      browser = Nokogiri::HTML5::Document.parse(result, parse_noscript_content_as_text: true)
+      xss = browser.at_xpath("//script")
+
+      assert_nil(xss)
+    end
   end if loofah_html5_support?
 end
  • test/scrubbers_test.rb+8 0 modified
    @@ -121,6 +121,14 @@ def test_leaves_only_supplied_tags_and_attributes
     assert_scrubbed html, '<tag></tag><tag cooler=""></tag>'
   end
 
+  def test_does_not_allow_safelisted_noscript
+    # https://hackerone.com/reports/2509647
+    assert_output(nil, /WARNING: 'noscript' tags cannot be allowed by the PermitScrubber/) do
+      @scrubber.tags = ["div", "noscript", "span"]
+    end
+    assert_equal(["div", "span"], @scrubber.tags)
+  end
+
   def test_leaves_text
     assert_scrubbed("some text")
   end

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.