CVE-2025-64501
Description
ProsemirrorToHtml is a JSON converter which takes ProseMirror-compatible JSON and outputs HTML. In versions 0.2.0 and below, the prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. Applications that use prosemirror_to_html to convert ProseMirror documents to HTML, user-generated ProseMirror content, and end users viewing the rendered HTML output are all at risk of attack. This issue is fixed in version 0.2.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
prosemirror_to_htmlRubyGems | < 0.2.1 | 0.2.1 |
Affected products
1- Range: v0.1.0, v0.2.0
Patches
14d59f94f550bEscape attributes values
4 files changed · +37 −6
Gemfile.lock+2 −2 modified@@ -33,11 +33,11 @@ PLATFORMS ruby DEPENDENCIES - bundler (~> 2.1.4) + bundler (~> 2.3) prosemirror_to_html! rake (~> 13.0) rspec (~> 3.0) yard BUNDLED WITH - 2.1.4 + 2.7.2
lib/prosemirror_to_html.rb+2 −1 modified@@ -246,7 +246,8 @@ def render_opening_tag(tags) attrs = '' if tag&.attrs tag.attrs.each_pair do |attr, value| - attrs << " #{attr}=\"#{value}\"" + escaped_value = CGI.escapeHTML(value.to_s) + attrs << " #{attr}=\"#{escaped_value}\"" end end
prosemirror_to_html.gemspec+1 −1 modified@@ -37,7 +37,7 @@ Gem::Specification.new do |spec| spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) } spec.require_paths = ["lib"] - spec.add_development_dependency "bundler", "~> 2.1.4" + spec.add_development_dependency "bundler", "~> 2.3" spec.add_development_dependency "rake", "~> 13.0" spec.add_development_dependency "rspec", "~> 3.0" spec.add_development_dependency "yard"
spec/prosemirror_to_html_spec.rb+32 −2 modified@@ -65,7 +65,7 @@ } renderer = ProsemirrorToHtml::Renderer.new - expect(html).to eq renderer.render(json) + expect(renderer.render(json)).to eq(html) end it 'renders example json correctly' do @@ -177,6 +177,36 @@ html = '<h2>Export HTML or JSON</h2><p>You are able to export your data as <code>HTML</code> or <code>JSON</code>. To pass <code>HTML</code> to the editor use the <code>content</code> slot. To pass <code>JSON</code> to the editor use the <code>doc</code> prop.</p>' renderer = ProsemirrorToHtml::Renderer.new - expect(renderer.render(json)).to eq html + expect(renderer.render(json)).to eq(html) + end + + it 'escapes HTML attributes' do + escaped_html = "<p><a href=\"javascript:alert('Hello!')\">Test</a></p>" + + json = { + "type": "doc", + "content": [ + { + "type": "paragraph", + "content": [ + { + "type": "text", + "text": "Test", + "marks": [ + { + "type": "link", + "attrs": { + "href": "javascript:alert('Hello!')" + } + } + ] + } + ] + } + ] + } + + renderer = ProsemirrorToHtml::Renderer.new + expect(renderer.render(json)).to eq(escaped_html) end end
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-52c5-vh7f-26fxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64501ghsaADVISORY
- github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rbghsaWEB
- github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8nvdWEB
- github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fxnvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/prosemirror_to_html/CVE-2025-64501.ymlghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/prosemirror_to_html/GHSA-vfpf-xmwh-8m65.ymlghsaWEB
News mentions
0No linked articles in our index yet.