HTML Injection Affecting sanitize package, versions <4.6.3


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.14% (52nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RUBY-SANITIZE-22024
  • published21 Mar 2018
  • disclosed19 Mar 2018
  • creditShopify Application Security Team

Introduced: 19 Mar 2018

CVE-2018-3740  (opens in a new tab)
CWE-74  (opens in a new tab)

How to fix?

Upgrade sanitize to version 4.6.3 or higher.

Overview

sanitize is a whitelist-based HTML and CSS sanitizer.

When used in combination with libxml2 versions >= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements. This can allow HTML and JavaScript injection, which could result in XSS if Sanitize's output is served to browsers.

Timeline

  • 2018-03-19: Reported by Shopify Application Security Team via email
  • 2018-03-19: Sanitize 4.6.3 released with a fix
  • 2018-03-19: Initial vulnerability report published

References

CVSS Scores

version 3.1