Rails-html-sanitizer v1.4.4 addresses multiple CVEs

flavorjones · December 13, 2022, 1:48pm

rails-html-sanitizer v1.4.4 has been released. This is a security update which addresses multiple CVEs, and users are recommended to upgrade immediately.

The release notes are reproduced below, for more information please read the linked GHSAs.

1.4.4 / 2022-12-13

Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer.Fixes CVE-2022-23517. See GHSA-5x79-w82f-gw8w for more information.
Address improper sanitization of data URIs.Fixes CVE-2022-23518 and #135. See GHSA-mcvf-2q2m-x72m for more information.
Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.Fixes CVE-2022-23520. See GHSA-rrfc-7g8p-99q8 for more information.
Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.Fixes CVE-2022-23519. See GHSA-9h9g-93gc-623h for more information.

Topic		Replies	Views
[CVE-2022-32209] Possible XSS Vulnerability in Rails::Html::Sanitizer Security Announcements	0	4083	June 9, 2022
Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1, and rails-html-sanitizer 1.0.3 have been released! rubyonrails-talk announcement	6	246	January 27, 2016
[CVE-2022-22577] Possible XSS Vulnerability in Action Pack Security Announcements patch	0	11503	April 26, 2022
Rails 3.2.16 and 4.0.2 have been released rubyonrails-talk announcement	0	228	December 3, 2013
[SEC] [ANN] Rails 3.2.13, 3.1.12, and 2.3.18 have been released! rubyonrails-talk	2	157	March 30, 2013

Rails-html-sanitizer v1.4.4 addresses multiple CVEs

1.4.4 / 2022-12-13

Related topics

More Resources