Summary
There is a possible cross-site scripting vulnerability in rails-html-sanitizer when the sanitizer is configured to allow an SVG reference element such as <use>. See related GHSA-9wjq-cp2p-hrgf in Loofah, whose SVG local-reference logic rails-html-sanitizer mirrors.
- Versions affected:
>= 1.0.3, < 1.7.1 - Not affected:
< 1.0.3 - Fixed versions:
1.7.1
Impact
Rails::HTML::PermitScrubber restricts SVG reference elements in the SVG_ALLOW_LOCAL_HREF collection to local, same-document references, but that restriction covered only the xlink:href attribute. Browsers also accept a plain href attribute per the SVG 2 spec, and it was not restricted, so those elements could reference arbitrary external documents. SVG <use> can load and render external SVG content by reference, and if the referenced document is same-origin and contains scripts, it could execute in the context of the sanitized document. <feImage> can load external images, which can be used for tracking.
Applications are impacted only when the allowed tags are overridden to include one of these SVG reference elements, for example <use> or <feImage>. The default allowed tags do not include these SVG elements, so applications using the default configuration are not affected.
Workarounds
Remove the SVG reference elements (such as use and feImage) from the overridden allowed tags. Applications using the default allowed tags are not affected.