{"id":143,"name":null,"description":null,"url":"https://github.com/rails/rails-html-sanitizer","last_synced_at":"2026-04-30T16:30:33.098Z","repository":{"id":10807221,"uuid":"13080550","full_name":"rails/rails-html-sanitizer","owner":"rails","description":null,"archived":false,"fork":false,"pushed_at":"2026-02-24T18:45:50.000Z","size":399,"stargazers_count":330,"open_issues_count":9,"forks_count":86,"subscribers_count":21,"default_branch":"main","last_synced_at":"2026-04-25T10:05:41.212Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rails.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"MIT-LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2013-09-25T00:54:20.000Z","updated_at":"2026-04-23T20:52:52.000Z","dependencies_parsed_at":"2023-12-02T02:14:53.855Z","dependency_job_id":"9a9117be-2d10-4434-93d8-c22c2b90a76c","html_url":"https://github.com/rails/rails-html-sanitizer","commit_stats":{"total_commits":234,"total_committers":34,"mean_commits":6.882352941176471,"dds":0.5726495726495726,"last_synced_commit":"08e39d99059c1179efd5e50fdb3bc60a262973f8"},"previous_names":["rafaelfranca/rails-html-sanitizer"],"tags_count":20,"template":false,"template_full_name":null,"purl":"pkg:github/rails/rails-html-sanitizer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/sbom","scorecard":{"id":759289,"data":{"date":"2025-08-11","repo":{"name":"github.com/rails/rails-html-sanitizer","commit":"c7ab9f2f52b403dfd7fcfb99c4fe1a42f0a91549"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.7,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":0,"reason":"Found 0/15 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":1,"reason":"2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: MIT-LICENSE:0","Info: FSF or OSI recognized license: MIT License: MIT-LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 18 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-353f-x4gh-cqq8","Warn: Project is vulnerable to: GHSA-5w6v-399v-w3cc"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T22:49:30.398Z","repository_id":10807221,"created_at":"2025-08-22T22:49:30.398Z","updated_at":"2025-08-22T22:49:30.398Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32375961,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-28T09:24:15.638Z","status":"ssl_error","status_checked_at":"2026-04-28T09:24:15.071Z","response_time":56,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"owner":{"login":"rails","name":"Ruby on Rails","uuid":"4223","kind":"organization","description":"","email":null,"website":"https://rubyonrails.org/","location":null,"twitter":null,"company":null,"icon_url":"https://avatars.githubusercontent.com/u/4223?v=4","repositories_count":116,"last_synced_at":"2023-04-09T03:40:20.529Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/rails","funding_links":[],"total_stars":114333,"followers":null,"following":null,"created_at":"2022-11-02T16:17:13.297Z","updated_at":"2023-04-09T03:40:20.550Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails/repositories"},"packages":[{"id":8614662,"name":"github.com/rails/rails-html-sanitizer","ecosystem":"go","description":null,"homepage":null,"licenses":"mit","normalized_licenses":["MIT"],"repository_url":"https://github.com/rails/rails-html-sanitizer","keywords_array":[],"namespace":null,"versions_count":18,"first_release_published_at":"2023-12-02T02:14:52.833Z","latest_release_published_at":"2026-02-24T18:45:07.000Z","latest_release_number":"v1.7.0","last_synced_at":"2026-04-18T18:24:19.893Z","created_at":"2023-12-02T02:14:48.140Z","updated_at":"2026-04-18T18:24:19.893Z","registry_url":"https://pkg.go.dev/github.com/rails/rails-html-sanitizer","install_command":"go get github.com/rails/rails-html-sanitizer","documentation_url":"https://pkg.go.dev/github.com/rails/rails-html-sanitizer#section-documentation","metadata":{},"repo_metadata":{"id":10807221,"uuid":"13080550","full_name":"rails/rails-html-sanitizer","owner":"rails","description":null,"archived":false,"fork":false,"pushed_at":"2025-10-10T18:40:54.000Z","size":396,"stargazers_count":326,"open_issues_count":11,"forks_count":86,"subscribers_count":22,"default_branch":"main","last_synced_at":"2025-12-30T01:27:49.760Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rails.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"MIT-LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2013-09-25T00:54:20.000Z","updated_at":"2025-12-25T07:10:08.000Z","dependencies_parsed_at":"2023-12-02T02:14:53.855Z","dependency_job_id":"9a9117be-2d10-4434-93d8-c22c2b90a76c","html_url":"https://github.com/rails/rails-html-sanitizer","commit_stats":{"total_commits":234,"total_committers":34,"mean_commits":6.882352941176471,"dds":0.5726495726495726,"last_synced_commit":"08e39d99059c1179efd5e50fdb3bc60a262973f8"},"previous_names":["rafaelfranca/rails-html-sanitizer"],"tags_count":19,"template":false,"template_full_name":null,"purl":"pkg:github/rails/rails-html-sanitizer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/sbom","scorecard":{"id":759289,"data":{"date":"2025-08-11","repo":{"name":"github.com/rails/rails-html-sanitizer","commit":"c7ab9f2f52b403dfd7fcfb99c4fe1a42f0a91549"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.7,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":0,"reason":"Found 0/15 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":1,"reason":"2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: MIT-LICENSE:0","Info: FSF or OSI recognized license: MIT License: MIT-LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 18 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-353f-x4gh-cqq8","Warn: Project is vulnerable to: GHSA-5w6v-399v-w3cc"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T22:49:30.398Z","repository_id":10807221,"created_at":"2025-08-22T22:49:30.398Z","updated_at":"2025-08-22T22:49:30.398Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28143876,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-31T02:00:06.200Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"rails","name":"Ruby on Rails","uuid":"4223","kind":"organization","description":"","email":null,"website":"https://rubyonrails.org/","location":null,"twitter":null,"company":null,"icon_url":"https://avatars.githubusercontent.com/u/4223?v=4","repositories_count":116,"last_synced_at":"2023-04-09T03:40:20.529Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/rails","funding_links":[],"total_stars":114333,"followers":null,"following":null,"created_at":"2022-11-02T16:17:13.297Z","updated_at":"2023-04-09T03:40:20.550Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails/repositories"},"tags":[{"name":"v1.6.2","sha":"9160d49020b57828ea536ffedc9cac8fef98ee59","kind":"commit","published_at":"2024-12-12T20:59:07.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.2","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.2","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.2/manifests"},{"name":"v1.6.1","sha":"5e96b19bbb934284e675109851bd82429622bb6e","kind":"commit","published_at":"2024-12-02T20:50:58.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.1/manifests"},{"name":"v1.6.0","sha":"19fd6cd66f31316642e758bf01a410f3fd128f42","kind":"commit","published_at":"2023-05-26T13:20:28.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0/manifests"},{"name":"v1.6.0.rc2","sha":"3b31be5adbf1a351d3acd2527aaa687978caee81","kind":"commit","published_at":"2023-05-24T21:18:26.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.0.rc2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.0.rc2","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.0.rc2","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc2/manifests"},{"name":"v1.6.0.rc1","sha":"5419017d38a5544f8bffd8b23ea67862e4350215","kind":"commit","published_at":"2023-05-24T16:19:29.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.0.rc1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.0.rc1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.0.rc1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc1/manifests"},{"name":"v1.5.0","sha":"a337ec8a348b15a5ae52c5698cbf38dbc50bf34d","kind":"commit","published_at":"2023-01-20T18:52:01.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.5.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.5.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.5.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.5.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.5.0/manifests"},{"name":"v1.4.4","sha":"fd63deaeb22e601237d4d4d12014e7ebd410ea9b","kind":"commit","published_at":"2022-12-12T22:43:11.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.4","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.4","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.4","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.4/manifests"},{"name":"v1.4.3","sha":"f83f08c81a3a33ce0fb1c379933c416ae80672fa","kind":"commit","published_at":"2022-06-09T22:23:09.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.3","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.3","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.3","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.3/manifests"},{"name":"v1.4.2","sha":"c86fed1dedb5380a4e46df5b4e8ee2904eac369d","kind":"commit","published_at":"2021-08-24T00:15:05.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.2","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.2","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.2/manifests"},{"name":"v1.4.1","sha":"b41bc7a9d04190d4237aa263c9a2ff70afbcc5bf","kind":"commit","published_at":"2021-08-18T20:51:54.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.1/manifests"},{"name":"v1.4.0","sha":"2e9ec19859c03c15c912732e5528ea0e8a7326da","kind":"commit","published_at":"2021-08-18T17:10:27.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.0/manifests"},{"name":"v1.3.0","sha":"51dc564c6509201070f72456bb2c13f87bb373d6","kind":"commit","published_at":"2019-10-06T15:12:45.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.3.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.3.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.3.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.3.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.3.0/manifests"},{"name":"v1.2.0","sha":"b8ea80d5f840a834a808a2171df3ada524b2a010","kind":"tag","published_at":"2019-08-08T22:04:05.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.2.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.2.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.2.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.2.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.2.0/manifests"},{"name":"v1.1.0","sha":"df0c946aa0c1913e9b8e94be96da59fb57ec9d67","kind":"tag","published_at":"2019-08-05T01:14:03.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.1.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.1.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.1.0/manifests"},{"name":"v1.0.4","sha":"53bf066ac3a163546a9c7c44c30998c21068c42d","kind":"tag","published_at":"2018-03-22T19:03:40.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.4","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.4","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.4","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.4/manifests"},{"name":"v1.0.3","sha":"5c4354db7524b1df891df0a3e29877ce9f7575ca","kind":"tag","published_at":"2016-01-25T18:28:49.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.3","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.3","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.3","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.3/manifests"},{"name":"v1.0.2","sha":"4f0f7810fce6c8aa63de07a40d69d6027a30acaf","kind":"tag","published_at":"2015-03-06T23:41:30.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.2","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.2","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.2/manifests"},{"name":"v1.0.1","sha":"6b14d6a9e11b58253337df95f2b699665cf8b463","kind":"tag","published_at":"2014-09-25T16:05:46.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.1/manifests"},{"name":"v1.0.0","sha":"71d89f668ee103b8a8422155ac61fe9f0754946d","kind":"tag","published_at":"2014-08-19T19:46:56.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.0/manifests"}]},"repo_metadata_updated_at":"2026-01-02T06:36:41.569Z","dependent_packages_count":0,"downloads":null,"downloads_period":null,"dependent_repos_count":0,"rankings":{"downloads":null,"dependent_repos_count":10.801592556016239,"dependent_packages_count":9.575730298247606,"stargazers_count":3.2441711545052416,"forks_count":2.5944839212321713,"docker_downloads_count":null,"average":6.553994482500315},"purl":"pkg:golang/github.com/rails/rails-html-sanitizer","advisories":[],"docker_usage_url":"https://docker.ecosyste.ms/usage/go/github.com/rails/rails-html-sanitizer","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/go/github.com/rails/rails-html-sanitizer","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/go/github.com/rails/rails-html-sanitizer/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":{"last_synced_at":"2025-12-31T00:01:03.270Z","issues_count":47,"pull_requests_count":131,"avg_time_to_close_issue":19457960.85365854,"avg_time_to_close_pull_request":1746126.1404958677,"issues_closed_count":41,"pull_requests_closed_count":121,"pull_request_authors_count":46,"issue_authors_count":42,"avg_comments_per_issue":4.085106382978723,"avg_comments_per_pull_request":1.0916030534351144,"merged_pull_requests_count":95,"bot_issues_count":0,"bot_pull_requests_count":21,"past_year_issues_count":2,"past_year_pull_requests_count":20,"past_year_avg_time_to_close_issue":null,"past_year_avg_time_to_close_pull_request":216783.26666666666,"past_year_issues_closed_count":0,"past_year_pull_requests_closed_count":15,"past_year_pull_request_authors_count":3,"past_year_issue_authors_count":2,"past_year_avg_comments_per_issue":0.0,"past_year_avg_comments_per_pull_request":0.4,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":14,"past_year_merged_pull_requests_count":15,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/issues","maintainers":[{"login":"flavorjones","count":53,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/flavorjones"},{"login":"akhilgkrishnan","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/akhilgkrishnan"},{"login":"amatsuda","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/amatsuda"}],"active_maintainers":[{"login":"flavorjones","count":5,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/flavorjones"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Frails%2Frails-html-sanitizer/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Frails%2Frails-html-sanitizer/version_numbers","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Frails%2Frails-html-sanitizer/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Frails%2Frails-html-sanitizer/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Frails%2Frails-html-sanitizer/codemeta","maintainers":[],"registry":{"name":"proxy.golang.org","url":"https://proxy.golang.org","ecosystem":"go","default":true,"packages_count":2108863,"maintainers_count":0,"namespaces_count":782439,"keywords_count":112823,"github":"golang","metadata":{"funded_packages_count":53495},"icon_url":"https://github.com/golang.png","created_at":"2022-04-04T15:19:22.939Z","updated_at":"2026-04-19T05:14:45.920Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages","maintainers_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/maintainers","namespaces_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/namespaces"}},{"id":13950849,"name":"ruby-rails-html-sanitizer","ecosystem":"guix","description":"HTML sanitization for Rails applications","homepage":"https://github.com/rails/rails-html-sanitizer","licenses":"expat","normalized_licenses":["Other"],"repository_url":"https://github.com/rails/rails-html-sanitizer","keywords_array":[],"namespace":null,"versions_count":1,"first_release_published_at":"2026-03-02T19:04:10.601Z","latest_release_published_at":"2026-03-02T19:04:10.601Z","latest_release_number":"1.6.0","last_synced_at":"2026-04-27T16:22:49.745Z","created_at":"2026-03-02T19:04:10.362Z","updated_at":"2026-04-27T16:22:49.746Z","registry_url":"https://packages.guix.gnu.org/packages/ruby-rails-html-sanitizer/1.6.0/","install_command":"guix install ruby-rails-html-sanitizer","documentation_url":"https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/rails.scm#n461","metadata":{"location":"gnu/packages/rails.scm:461","variable_name":"ruby-rails-html-sanitizer"},"repo_metadata":{"id":10807221,"uuid":"13080550","full_name":"rails/rails-html-sanitizer","owner":"rails","description":null,"archived":false,"fork":false,"pushed_at":"2026-02-17T16:40:48.000Z","size":398,"stargazers_count":328,"open_issues_count":13,"forks_count":86,"subscribers_count":22,"default_branch":"main","last_synced_at":"2026-02-24T12:57:28.037Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rails.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"MIT-LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2013-09-25T00:54:20.000Z","updated_at":"2026-02-20T11:21:52.000Z","dependencies_parsed_at":"2023-12-02T02:14:53.855Z","dependency_job_id":"9a9117be-2d10-4434-93d8-c22c2b90a76c","html_url":"https://github.com/rails/rails-html-sanitizer","commit_stats":{"total_commits":234,"total_committers":34,"mean_commits":6.882352941176471,"dds":0.5726495726495726,"last_synced_commit":"08e39d99059c1179efd5e50fdb3bc60a262973f8"},"previous_names":["rafaelfranca/rails-html-sanitizer"],"tags_count":19,"template":false,"template_full_name":null,"purl":"pkg:github/rails/rails-html-sanitizer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/sbom","scorecard":{"id":759289,"data":{"date":"2025-08-11","repo":{"name":"github.com/rails/rails-html-sanitizer","commit":"c7ab9f2f52b403dfd7fcfb99c4fe1a42f0a91549"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.7,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":0,"reason":"Found 0/15 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":1,"reason":"2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: MIT-LICENSE:0","Info: FSF or OSI recognized license: MIT License: MIT-LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 18 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-353f-x4gh-cqq8","Warn: Project is vulnerable to: GHSA-5w6v-399v-w3cc"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T22:49:30.398Z","repository_id":10807221,"created_at":"2025-08-22T22:49:30.398Z","updated_at":"2025-08-22T22:49:30.398Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30016507,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-02T17:00:27.440Z","status":"ssl_error","status_checked_at":"2026-03-02T17:00:03.402Z","response_time":60,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"repo_metadata_updated_at":"2026-04-03T01:25:02.937Z","dependent_packages_count":0,"downloads":null,"downloads_period":null,"dependent_repos_count":0,"rankings":{"downloads":null,"dependent_repos_count":0.0,"dependent_packages_count":0.0,"stargazers_count":null,"forks_count":null,"docker_downloads_count":null,"average":100},"purl":"pkg:guix/ruby-rails-html-sanitizer","advisories":[],"docker_usage_url":"https://docker.ecosyste.ms/usage/guix/ruby-rails-html-sanitizer","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/guix/ruby-rails-html-sanitizer","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/guix/ruby-rails-html-sanitizer/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":{"last_synced_at":"2026-02-27T05:02:13.625Z","issues_count":47,"pull_requests_count":133,"avg_time_to_close_issue":19457960.85365854,"avg_time_to_close_pull_request":1837195.9674796748,"issues_closed_count":41,"pull_requests_closed_count":123,"pull_request_authors_count":47,"issue_authors_count":42,"avg_comments_per_issue":4.085106382978723,"avg_comments_per_pull_request":1.1052631578947367,"merged_pull_requests_count":95,"bot_issues_count":0,"bot_pull_requests_count":22,"past_year_issues_count":2,"past_year_pull_requests_count":20,"past_year_avg_time_to_close_issue":null,"past_year_avg_time_to_close_pull_request":1117208.8125,"past_year_issues_closed_count":0,"past_year_pull_requests_closed_count":16,"past_year_pull_request_authors_count":4,"past_year_issue_authors_count":2,"past_year_avg_comments_per_issue":0.0,"past_year_avg_comments_per_pull_request":0.6,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":13,"past_year_merged_pull_requests_count":14,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/issues","maintainers":[{"login":"flavorjones","count":53,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/flavorjones"},{"login":"akhilgkrishnan","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/akhilgkrishnan"},{"login":"amatsuda","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/amatsuda"}],"active_maintainers":[{"login":"flavorjones","count":5,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/flavorjones"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/guix/packages/ruby-rails-html-sanitizer/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/guix/packages/ruby-rails-html-sanitizer/version_numbers","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/guix/packages/ruby-rails-html-sanitizer/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/guix/packages/ruby-rails-html-sanitizer/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/guix/packages/ruby-rails-html-sanitizer/codemeta","maintainers":[],"registry":{"name":"guix","url":"https://guix.gnu.org","ecosystem":"guix","default":true,"packages_count":31165,"maintainers_count":0,"namespaces_count":0,"keywords_count":0,"github":"guix-mirror","metadata":{"funded_packages_count":286},"icon_url":"https://github.com/guix-mirror.png","created_at":"2026-03-02T16:23:46.981Z","updated_at":"2026-04-03T06:23:21.396Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/guix/packages","maintainers_url":"https://packages.ecosyste.ms/api/v1/registries/guix/maintainers","namespaces_url":"https://packages.ecosyste.ms/api/v1/registries/guix/namespaces"}},{"id":12303701,"name":"rails-html-sanitizer","ecosystem":"rubygems","description":"HTML sanitization for Rails applications","homepage":"https://github.com/rails/rails-html-sanitizer","licenses":"MIT","normalized_licenses":["MIT"],"repository_url":"https://github.com/rails/rails-html-sanitizer","keywords_array":[],"namespace":null,"versions_count":20,"first_release_published_at":"2014-08-19T19:47:15.038Z","latest_release_published_at":"2026-02-24T18:46:02.899Z","latest_release_number":"1.7.0","last_synced_at":"2026-04-28T00:30:38.338Z","created_at":"2025-10-07T05:15:55.950Z","updated_at":"2026-04-28T00:33:56.757Z","registry_url":"https://gem.coop/gems/rails-html-sanitizer","install_command":"gem install rails-html-sanitizer -s https://gem.coop","documentation_url":"http://www.rubydoc.info/gems/rails-html-sanitizer/","metadata":{"funding":null},"repo_metadata":{"id":10807221,"uuid":"13080550","full_name":"rails/rails-html-sanitizer","owner":"rails","description":null,"archived":false,"fork":false,"pushed_at":"2026-02-24T18:45:50.000Z","size":399,"stargazers_count":329,"open_issues_count":9,"forks_count":86,"subscribers_count":22,"default_branch":"main","last_synced_at":"2026-04-11T08:07:37.707Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rails.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"MIT-LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2013-09-25T00:54:20.000Z","updated_at":"2026-02-27T12:49:28.000Z","dependencies_parsed_at":"2023-12-02T02:14:53.855Z","dependency_job_id":"9a9117be-2d10-4434-93d8-c22c2b90a76c","html_url":"https://github.com/rails/rails-html-sanitizer","commit_stats":{"total_commits":234,"total_committers":34,"mean_commits":6.882352941176471,"dds":0.5726495726495726,"last_synced_commit":"08e39d99059c1179efd5e50fdb3bc60a262973f8"},"previous_names":["rafaelfranca/rails-html-sanitizer"],"tags_count":20,"template":false,"template_full_name":null,"purl":"pkg:github/rails/rails-html-sanitizer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/sbom","scorecard":{"id":759289,"data":{"date":"2025-08-11","repo":{"name":"github.com/rails/rails-html-sanitizer","commit":"c7ab9f2f52b403dfd7fcfb99c4fe1a42f0a91549"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.7,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":0,"reason":"Found 0/15 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":1,"reason":"2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: MIT-LICENSE:0","Info: FSF or OSI recognized license: MIT License: MIT-LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 18 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-353f-x4gh-cqq8","Warn: Project is vulnerable to: GHSA-5w6v-399v-w3cc"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T22:49:30.398Z","repository_id":10807221,"created_at":"2025-08-22T22:49:30.398Z","updated_at":"2025-08-22T22:49:30.398Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31818195,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T18:05:02.291Z","status":"ssl_error","status_checked_at":"2026-04-14T18:05:01.765Z","response_time":153,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"rails","name":"Ruby on Rails","uuid":"4223","kind":"organization","description":"","email":null,"website":"https://rubyonrails.org/","location":null,"twitter":null,"company":null,"icon_url":"https://avatars.githubusercontent.com/u/4223?v=4","repositories_count":116,"last_synced_at":"2023-04-09T03:40:20.529Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/rails","funding_links":[],"total_stars":114333,"followers":null,"following":null,"created_at":"2022-11-02T16:17:13.297Z","updated_at":"2023-04-09T03:40:20.550Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails/repositories"},"tags":[{"name":"v1.7.0","sha":"a8a04134d77f765a166188ef0850369adb6686ab","kind":"commit","published_at":"2026-02-24T18:45:07.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.7.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.7.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.7.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.7.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.7.0/manifests"},{"name":"v1.6.2","sha":"9160d49020b57828ea536ffedc9cac8fef98ee59","kind":"commit","published_at":"2024-12-12T20:59:07.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.2","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.2","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.2/manifests"},{"name":"v1.6.1","sha":"5e96b19bbb934284e675109851bd82429622bb6e","kind":"commit","published_at":"2024-12-02T20:50:58.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.1/manifests"},{"name":"v1.6.0","sha":"19fd6cd66f31316642e758bf01a410f3fd128f42","kind":"commit","published_at":"2023-05-26T13:20:28.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0/manifests"},{"name":"v1.6.0.rc2","sha":"3b31be5adbf1a351d3acd2527aaa687978caee81","kind":"commit","published_at":"2023-05-24T21:18:26.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.0.rc2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.0.rc2","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.0.rc2","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc2/manifests"},{"name":"v1.6.0.rc1","sha":"5419017d38a5544f8bffd8b23ea67862e4350215","kind":"commit","published_at":"2023-05-24T16:19:29.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.0.rc1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.0.rc1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.0.rc1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc1/manifests"},{"name":"v1.5.0","sha":"a337ec8a348b15a5ae52c5698cbf38dbc50bf34d","kind":"commit","published_at":"2023-01-20T18:52:01.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.5.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.5.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.5.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.5.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.5.0/manifests"},{"name":"v1.4.4","sha":"fd63deaeb22e601237d4d4d12014e7ebd410ea9b","kind":"commit","published_at":"2022-12-12T22:43:11.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.4","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.4","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.4","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.4/manifests"},{"name":"v1.4.3","sha":"f83f08c81a3a33ce0fb1c379933c416ae80672fa","kind":"commit","published_at":"2022-06-09T22:23:09.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.3","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.3","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.3","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.3/manifests"},{"name":"v1.4.2","sha":"c86fed1dedb5380a4e46df5b4e8ee2904eac369d","kind":"commit","published_at":"2021-08-24T00:15:05.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.2","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.2","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.2/manifests"},{"name":"v1.4.1","sha":"b41bc7a9d04190d4237aa263c9a2ff70afbcc5bf","kind":"commit","published_at":"2021-08-18T20:51:54.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.1/manifests"},{"name":"v1.4.0","sha":"2e9ec19859c03c15c912732e5528ea0e8a7326da","kind":"commit","published_at":"2021-08-18T17:10:27.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.0/manifests"},{"name":"v1.3.0","sha":"51dc564c6509201070f72456bb2c13f87bb373d6","kind":"commit","published_at":"2019-10-06T15:12:45.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.3.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.3.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.3.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.3.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.3.0/manifests"},{"name":"v1.2.0","sha":"b8ea80d5f840a834a808a2171df3ada524b2a010","kind":"tag","published_at":"2019-08-08T22:04:05.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.2.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.2.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.2.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.2.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.2.0/manifests"},{"name":"v1.1.0","sha":"df0c946aa0c1913e9b8e94be96da59fb57ec9d67","kind":"tag","published_at":"2019-08-05T01:14:03.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.1.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.1.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.1.0/manifests"},{"name":"v1.0.4","sha":"53bf066ac3a163546a9c7c44c30998c21068c42d","kind":"tag","published_at":"2018-03-22T19:03:40.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.4","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.4","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.4","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.4/manifests"},{"name":"v1.0.3","sha":"5c4354db7524b1df891df0a3e29877ce9f7575ca","kind":"tag","published_at":"2016-01-25T18:28:49.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.3","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.3","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.3","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.3/manifests"},{"name":"v1.0.2","sha":"4f0f7810fce6c8aa63de07a40d69d6027a30acaf","kind":"tag","published_at":"2015-03-06T23:41:30.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.2","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.2","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.2/manifests"},{"name":"v1.0.1","sha":"6b14d6a9e11b58253337df95f2b699665cf8b463","kind":"tag","published_at":"2014-09-25T16:05:46.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.1/manifests"},{"name":"v1.0.0","sha":"71d89f668ee103b8a8422155ac61fe9f0754946d","kind":"tag","published_at":"2014-08-19T19:46:56.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.0/manifests"}]},"repo_metadata_updated_at":"2026-04-28T00:33:56.724Z","dependent_packages_count":0,"downloads":653359677,"downloads_period":"total","dependent_repos_count":0,"rankings":{"downloads":0.030816640986132512,"dependent_repos_count":0.0,"dependent_packages_count":0.0,"stargazers_count":null,"forks_count":null,"docker_downloads_count":null,"average":0.01027221366204417},"purl":"pkg:gem/rails-html-sanitizer?repository_url=https://gem.coop","advisories":[{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI5YzItY3IzOS1jOGc2","url":"https://github.com/advisories/GHSA-r9c2-cr39-c8g6","title":"rails-html-sanitizer Cross-site Scripting vulnerability","description":"Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the `Rails::Html::FullSanitizer` class.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2017-10-24T18:33:36.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7579","https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f","https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ","http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html","http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html","http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html","http://www.openwall.com/lists/oss-security/2016/01/25/12","https://web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816","https://github.com/advisories/GHSA-r9c2-cr39-c8g6"],"source_kind":"github","identifiers":["GHSA-r9c2-cr39-c8g6","CVE-2015-7579"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:13:39.175Z","updated_at":"2023-01-24T14:56:24.000Z","epss_percentage":0.00166,"epss_percentile":0.38251,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2"],"unaffected_versions":["1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS1yeHY1LWd4cWMteHg4Z84ABB_x","url":"https://github.com/advisories/GHSA-rxv5-gxqc-xx8g","title":"rails-html-sanitizer has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"noscript\" element is explicitly allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow all of these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"noscript\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"noscript\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"noscript\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"noscript\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"noscript\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include \"noscript\" should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"noscript\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2509647\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T22:18:27.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rxv5-gxqc-xx8g","https://nvd.nist.gov/vuln/detail/CVE-2024-53989","https://github.com/rails/rails-html-sanitizer/commit/16251735e36ebdc302e2f90f2a39cad56879414f","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53989.yml","https://github.com/advisories/GHSA-rxv5-gxqc-xx8g"],"source_kind":"github","identifiers":["GHSA-rxv5-gxqc-xx8g","CVE-2024-53989"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T23:06:49.936Z","updated_at":"2024-12-03T18:50:36.000Z","epss_percentage":0.0024,"epss_percentile":0.47196,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":[],"unaffected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS02MzhqLXBtanctanE0OM4ABB_s","url":"https://github.com/advisories/GHSA-638j-pmjw-jq48","title":"rails-html-sanitizer has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"math\" and \"style\" elements are both explicitly allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"style\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"style\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"style\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"style\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include both \"math\" and \"style\" should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"math\" or \"style\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2519941\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T21:48:24.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-638j-pmjw-jq48","https://nvd.nist.gov/vuln/detail/CVE-2024-53986","https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53986.yml","https://github.com/advisories/GHSA-638j-pmjw-jq48"],"source_kind":"github","identifiers":["GHSA-638j-pmjw-jq48","CVE-2024-53986"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T22:07:14.065Z","updated_at":"2024-12-03T18:50:31.000Z","epss_percentage":0.0024,"epss_percentile":0.47196,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":[],"unaffected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB4M3Itam05Zy1jOHc4","url":"https://github.com/advisories/GHSA-px3r-jm9g-c8w8","title":"rails-html-sanitizer Cross-site Scripting vulnerability","description":"There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2018-04-26T15:41:10.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2018-3741","https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae","https://github.com/advisories/GHSA-px3r-jm9g-c8w8"],"source_kind":"github","identifiers":["GHSA-px3r-jm9g-c8w8","CVE-2018-3741"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:13:37.288Z","updated_at":"2023-03-01T18:54:08.000Z","epss_percentage":0.00476,"epss_percentile":0.64064,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.4","vulnerable_version_range":"\u003c 1.0.4"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2","1.0.3"],"unaffected_versions":["1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdocW0tcGd4ai0zN2dx","url":"https://github.com/advisories/GHSA-ghqm-pgxj-37gq","title":"rails-html-sanitizer Cross-site Scripting vulnerability","description":"Cross-site scripting (XSS) vulnerability in `lib/rails/html/scrubbers.rb` in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2017-10-24T18:33:36.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7580","https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78","https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html","http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html","http://www.openwall.com/lists/oss-security/2016/01/25/15","https://web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816","https://github.com/advisories/GHSA-ghqm-pgxj-37gq"],"source_kind":"github","identifiers":["GHSA-ghqm-pgxj-37gq","CVE-2015-7580"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:13:39.185Z","updated_at":"2023-01-23T21:16:06.000Z","epss_percentage":0.00193,"epss_percentile":0.41417,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2"],"unaffected_versions":["1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTc3cGMtcTVxNy1xZzlo","url":"https://github.com/advisories/GHSA-77pc-q5q7-qg9h","title":"Moderate severity vulnerability that affects rails-html-sanitizer","description":"Withdrawn, accidental duplicate publish.\r\n\r\nCross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2018-09-17T21:58:30.000Z","withdrawn_at":"2020-06-16T21:21:56.000Z","classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7580","https://github.com/advisories/GHSA-77pc-q5q7-qg9h"],"source_kind":"github","identifiers":["GHSA-77pc-q5q7-qg9h"],"repository_url":null,"blast_radius":0.0,"created_at":"2022-12-21T16:13:36.116Z","updated_at":"2023-01-09T05:02:36.000Z","epss_percentage":null,"epss_percentile":null,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2"],"unaffected_versions":["1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1yaGotMmc0di0zOXF4","url":"https://github.com/advisories/GHSA-mrhj-2g4v-39qx","title":"Moderate severity vulnerability that affects rails-html-sanitizer","description":"Withdrawn, accidental duplicate publish.\r\n\r\nCross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2018-09-17T21:58:19.000Z","withdrawn_at":"2020-06-16T21:47:07.000Z","classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7579","https://github.com/advisories/GHSA-mrhj-2g4v-39qx"],"source_kind":"github","identifiers":["GHSA-mrhj-2g4v-39qx"],"repository_url":null,"blast_radius":0.0,"created_at":"2022-12-21T16:13:36.125Z","updated_at":"2023-01-09T05:03:22.000Z","epss_percentage":null,"epss_percentile":null,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"= 1.0.2"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":[],"unaffected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFjOGotbThqMy1yanE2","url":"https://github.com/advisories/GHSA-qc8j-m8j3-rjq6","title":"Moderate severity vulnerability that affects rails-html-sanitizer","description":"Withdrawn, accidental duplicate publish.\r\n\r\nCross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2018-09-17T21:57:58.000Z","withdrawn_at":"2020-06-17T15:15:01.000Z","classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7578","https://github.com/advisories/GHSA-qc8j-m8j3-rjq6"],"source_kind":"github","identifiers":["GHSA-qc8j-m8j3-rjq6"],"repository_url":null,"blast_radius":0.0,"created_at":"2022-12-21T16:13:36.134Z","updated_at":"2023-01-09T05:03:18.000Z","epss_percentage":null,"epss_percentile":null,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2"],"unaffected_versions":["1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS0yeDVtLTljaDQtcWdycs4ABB_u","url":"https://github.com/advisories/GHSA-2x5m-9ch4-qgrr","title":"rails-html-sanitizer has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"style\" element is explicitly allowed\n- the \"svg\" or \"math\" element is not allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow all of these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"style\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"style\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"style\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"style\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include \"style\" and omit \"svg\" or \"math\" should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"style\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2519936\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T21:48:56.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-2x5m-9ch4-qgrr","https://nvd.nist.gov/vuln/detail/CVE-2024-53987","https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53987.yml","https://github.com/advisories/GHSA-2x5m-9ch4-qgrr"],"source_kind":"github","identifiers":["GHSA-2x5m-9ch4-qgrr","CVE-2024-53987"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T22:07:13.966Z","updated_at":"2024-12-03T18:50:33.000Z","epss_percentage":0.0024,"epss_percentile":0.47196,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":[],"unaffected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS13OGdjLXgyNTktcmM3eM4ABB_r","url":"https://github.com/advisories/GHSA-w8gc-x259-rc7x","title":"rails-html-sanitize has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0 and Nokogiri \u003c 1.15.7, or 1.16.x \u003c 1.16.8.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\nPlease note that the fix in v1.6.1 is to update the dependency on Nokogiri to 1.15.7 or \u003e= 1.16.8.\n\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in either of the following ways:\n\n* allow both \"math\" and \"style\" elements\n* or allow both \"svg\" and \"style\" elements\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nCode is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"style\"]\n  # or\n  config.action_view.sanitized_allowed_tags = [\"svg\", \"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"style\"] %\u003e\n  \u003c%# or %\u003e\n  \u003c%= sanitize @comment.body, tags: [\"svg\", \"style\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"style\"]\n  # or\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"svg\", \"style\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"style\"])\n  # or\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"svg\", \"style\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"style\"]\n  # or\n  ActionText::ContentHelper.allowed_tags = [\"svg\", \"style\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include ((\"math\" or \"svg\") and \"style\") should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"style\" from the overridden allowed tags,\n- Or, remove \"math\" and \"svg\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information)\n- Or, independently upgrade Nokogiri to v1.15.7 or \u003e= 1.16.8.\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2503220\n\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T21:48:14.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x","https://nvd.nist.gov/vuln/detail/CVE-2024-53985","https://github.com/rails/rails-html-sanitizer/commit/b0220b8850d52199a15f83c472d175a4122dd7b1","https://github.com/rails/rails-html-sanitizer/commit/cd18b0ef00aad1d4a9e1c5d860cd23f80f63c505","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53985.yml","https://github.com/advisories/GHSA-w8gc-x259-rc7x"],"source_kind":"github","identifiers":["GHSA-w8gc-x259-rc7x","CVE-2024-53985"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T22:07:14.111Z","updated_at":"2024-12-03T18:50:30.000Z","epss_percentage":0.00333,"epss_percentile":0.55582,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":[],"unaffected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS1jZmp4LXcyMjktaGd4Nc4ABB_t","url":"https://github.com/advisories/GHSA-cfjx-w229-hgx5","title":"rails-html-sanitizer has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"math\", \"mtext\", \"table\", and \"style\" elements are allowed\n- and either \"mglyph\" or \"malignmark\" are allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow all of these elements except for \"table\". Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"]\n  # or\n  config.action_view.sanitized_allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"] %\u003e\n  \u003c%# or %\u003e\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"]\n  # or\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"])\n  # or\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"]\n  # or\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include (\"math\" and \"mtext\" and \"table\" and \"style\" and (\"mglyph\" or \"malignmark\")) should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"mglyph\" and \"malignmark\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2519936\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T21:48:42.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5","https://nvd.nist.gov/vuln/detail/CVE-2024-53988","https://github.com/rails/rails-html-sanitizer/commit/a0a3e8b76b696446ffc6bffcff3bc7b7c6393c72","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53988.yml","https://github.com/advisories/GHSA-cfjx-w229-hgx5"],"source_kind":"github","identifiers":["GHSA-cfjx-w229-hgx5","CVE-2024-53988"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T22:07:14.020Z","updated_at":"2024-12-03T18:50:34.000Z","epss_percentage":0.0024,"epss_percentile":0.47196,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":[],"unaffected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS01eDc5LXc4MmYtZ3c4d84AAwSf","url":"https://github.com/advisories/GHSA-5x79-w82f-gw8w","title":"Inefficient Regular Expression Complexity in rails-html-sanitizer","description":"## Summary\n\nCertain configurations of rails-html-sanitizer `\u003c 1.4.4` use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.\n\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `\u003e= 1.4.4`.\n\n\n## Severity\n\nThe maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n\n## References\n\n- [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html)\n- https://hackerone.com/reports/1684163\n\n\n## Credit\n\nThis vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2022-12-13T17:43:02.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w","https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979","https://hackerone.com/reports/1684163","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23517.yml","https://nvd.nist.gov/vuln/detail/CVE-2022-23517","https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://github.com/advisories/GHSA-5x79-w82f-gw8w"],"source_kind":"github","identifiers":["GHSA-5x79-w82f-gw8w","CVE-2022-23517"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:11:45.416Z","updated_at":"2025-11-04T16:41:25.000Z","epss_percentage":0.00263,"epss_percentile":0.49561,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.4","vulnerable_version_range":"\u003c 1.4.4"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3"],"unaffected_versions":["1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS1tY3ZmLTJxMm0teDcybc4AAwSg","url":"https://github.com/advisories/GHSA-mcvf-2q2m-x72m","title":"Improper neutralization of data URIs may allow XSS in rails-html-sanitizer","description":"## Summary\n\nrails-html-sanitizer `\u003e= 1.0.3, \u003c 1.4.4` is vulnerable to cross-site scripting via data URIs when used in combination with Loofah `\u003e= 2.1.0`.\n\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `\u003e= 1.4.4`.\n\n\n## Severity\n\nThe maintainers have evaluated this as [Medium Severity 6.1](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- [SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg](https://github.com/w3c/svgwg/issues/266)\n- https://github.com/rails/rails-html-sanitizer/issues/135\n- https://hackerone.com/reports/1694173\n\n\n## Credit\n\nThis vulnerability was independently reported by Maciej Piechota (@haqpl) and Mrinmoy Das (@goromlagche).","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-12-13T17:45:39.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m","https://github.com/rails/rails-html-sanitizer/issues/135","https://github.com/w3c/svgwg/issues/266","https://hackerone.com/reports/1694173","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23518.yml","https://nvd.nist.gov/vuln/detail/CVE-2022-23518","https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://github.com/advisories/GHSA-mcvf-2q2m-x72m"],"source_kind":"github","identifiers":["GHSA-mcvf-2q2m-x72m","CVE-2022-23518"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:11:45.408Z","updated_at":"2025-11-04T16:41:47.000Z","epss_percentage":0.00277,"epss_percentile":0.50791,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.4","vulnerable_version_range":"\u003e= 1.0.3, \u003c 1.4.4"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3"],"unaffected_versions":["1.0.0","1.0.1","1.0.2","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU5YzctNHhqMi1oZ3Z3","url":"https://github.com/advisories/GHSA-59c7-4xj2-hgvw","title":"rails-html-sanitizer Cross-site Scripting vulnerability","description":"Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2017-10-24T18:33:36.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7578","https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4","https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ","http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html","http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html","http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html","http://www.openwall.com/lists/oss-security/2016/01/25/11","https://web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816","https://github.com/advisories/GHSA-59c7-4xj2-hgvw"],"source_kind":"github","identifiers":["GHSA-59c7-4xj2-hgvw","CVE-2015-7578"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:13:39.165Z","updated_at":"2023-01-23T20:38:11.000Z","epss_percentage":0.00166,"epss_percentile":0.38251,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2"],"unaffected_versions":["1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS1ycmZjLTdnOHAtOTlxOM4AAwSi","url":"https://github.com/advisories/GHSA-rrfc-7g8p-99q8","title":"Possible XSS vulnerability with certain configurations of rails-html-sanitizer","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209.\n\n- Versions affected: ALL\n- Not affected: NONE\n- Fixed versions: 1.4.4\n\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both \"select\" and \"style\" elements.\n\nCode is only impacted if allowed tags are being overridden using either of the following two mechanisms:\n\n1. Using the Rails configuration `config.action_view.sanitized_allow_tags=`:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"select\", \"style\"]\n  ```\n\n  (see https://guides.rubyonrails.org/configuring.html#configuring-action-view)\n\n2. Using the class method `Rails::Html::SafeListSanitizer.allowed_tags=`:\n\n  ```ruby\n  # class-level option\n  Rails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]\n  ```\n\nAll users overriding the allowed tags by either of the above mechanisms to include both \"select\" and \"style\" should either upgrade or use one of the workarounds immediately.\n\nNOTE: Code is _not_ impacted if allowed tags are overridden using either of the following mechanisms:\n\n- the `:tags` option to the Action View helper method `sanitize`.\n- the `:tags` option to the instance method `SafeListSanitizer#sanitize`.\n\n\n## Workarounds\n\nRemove either \"select\" or \"style\" from the overridden allowed tags.\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32209\n- https://hackerone.com/reports/1654310\n\n\n## Credit\n\nThis vulnerability was responsibly reported by Dominic Breuker.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-12-13T17:51:40.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8","https://hackerone.com/reports/1654310","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23520.yml","https://nvd.nist.gov/vuln/detail/CVE-2022-23520","https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://github.com/advisories/GHSA-rrfc-7g8p-99q8"],"source_kind":"github","identifiers":["GHSA-rrfc-7g8p-99q8","CVE-2022-23520"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:11:45.390Z","updated_at":"2025-11-04T16:42:29.000Z","epss_percentage":0.00366,"epss_percentile":0.57912,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.4","vulnerable_version_range":"\u003c 1.4.4"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3"],"unaffected_versions":["1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS1wZzh2LWc0eHEtaHd3Oc4AAs-c","url":"https://github.com/advisories/GHSA-pg8v-g4xq-hww9","title":"Rails::Html::Sanitizer vulnerable to Cross-site Scripting","description":"Versions of Rails::Html::Sanitizer prior to version 1.4.3 are vulnerable to XSS with certain configurations of Rails::Html::Sanitizer which  allows an attacker to inject content when the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements. Code is only impacted if allowed tags are being overridden. \n\nThis may be done via application configuration: ```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = [\"select\", \"style\"]```\n\nsee https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\nOr it may be done with a `:tags` option to the Action View helper `sanitize`: ```\u003c%= sanitize @comment.body, tags: [\"select\", \"style\"] %\u003e``` \n\nsee https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize \n\nIt may also be done with Rails::Html::SafeListSanitizer directly: \n```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]```  or with\n```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"select\", \"style\"])```\n\nAll users overriding the allowed tags by any of the above mechanisms to include both \"select\" and \"style\" are recommended to upgrade immediately. A workaround for this issue can be applied by removing either `select` or `style` from the overridden allowed tags.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-06-25T00:00:54.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2022-32209","https://hackerone.com/reports/1530898","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-32209.yml","https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s","https://lists.debian.org/debian-lts-announce/2022/12/msg00012.html","https://github.com/rails/rails-html-sanitizer/commit/45a5c10fed3d9aa141594c80afa06d748fa0967d","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47","https://github.com/advisories/GHSA-pg8v-g4xq-hww9"],"source_kind":"github","identifiers":["GHSA-pg8v-g4xq-hww9","CVE-2022-32209"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:12:14.237Z","updated_at":"2025-11-04T16:39:38.000Z","epss_percentage":0.05749,"epss_percentile":0.90045,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.3","vulnerable_version_range":"\u003c 1.4.3"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2"],"unaffected_versions":["1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS05aDlnLTkzZ2MtNjIzaM4AAwSh","url":"https://github.com/advisories/GHSA-9h9g-93gc-623h","title":"Possible XSS vulnerability with certain configurations of rails-html-sanitizer","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.\n\n- Versions affected: ALL\n- Not affected: NONE\n- Fixed versions: 1.4.4\n\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways:\n\n- allow both \"math\" and \"style\" elements,\n- or allow both \"svg\" and \"style\" elements\n\nCode is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways:\n\n1. using application configuration:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"style\"]\n  # or\n  config.action_view.sanitized_allowed_tags = [\"svg\", \"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"style\"] %\u003e\n  \u003c%# or %\u003e\n  \u003c%= sanitize @comment.body, tags: [\"svg\", \"style\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. using Rails::Html::SafeListSanitizer class method `allowed_tags=`:\n\n  ```ruby\n  # class-level option\n  Rails::Html::SafeListSanitizer.allowed_tags = [\"math\", \"style\"]\n  # or\n  Rails::Html::SafeListSanitizer.allowed_tags = [\"svg\", \"style\"]\n  ```\n\n4. using a `:tags` options to the Rails::Html::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"style\"])\n  # or\n  Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"svg\", \"style\"])\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include ((\"math\" or \"svg\") and \"style\") should either upgrade or use one of the workarounds immediately.\n\n\n## Workarounds\n\nRemove \"style\" from the overridden allowed tags, or remove \"math\" and \"svg\" from the overridden allowed tags.\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- https://hackerone.com/reports/1656627\n\n\n## Credit\n\nThis vulnerability was responsibly reported by Dominic Breuker.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-12-13T17:50:25.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h","https://hackerone.com/reports/1656627","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23519.yml","https://nvd.nist.gov/vuln/detail/CVE-2022-23519","https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://github.com/advisories/GHSA-9h9g-93gc-623h"],"source_kind":"github","identifiers":["GHSA-9h9g-93gc-623h","CVE-2022-23519"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:11:45.399Z","updated_at":"2025-11-04T16:42:00.000Z","epss_percentage":0.00152,"epss_percentile":0.36487,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.4","vulnerable_version_range":"\u003c 1.4.4"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3"],"unaffected_versions":["1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/rubygems/rails-html-sanitizer","docker_dependents_count":1354,"docker_downloads_count":821064172,"usage_url":"https://repos.ecosyste.ms/usage/rubygems/rails-html-sanitizer","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/rubygems/rails-html-sanitizer/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":{"last_synced_at":"2026-02-27T05:02:13.625Z","issues_count":47,"pull_requests_count":133,"avg_time_to_close_issue":19457960.85365854,"avg_time_to_close_pull_request":1837195.9674796748,"issues_closed_count":41,"pull_requests_closed_count":123,"pull_request_authors_count":47,"issue_authors_count":42,"avg_comments_per_issue":4.085106382978723,"avg_comments_per_pull_request":1.1052631578947367,"merged_pull_requests_count":95,"bot_issues_count":0,"bot_pull_requests_count":22,"past_year_issues_count":2,"past_year_pull_requests_count":20,"past_year_avg_time_to_close_issue":null,"past_year_avg_time_to_close_pull_request":1117208.8125,"past_year_issues_closed_count":0,"past_year_pull_requests_closed_count":16,"past_year_pull_request_authors_count":4,"past_year_issue_authors_count":2,"past_year_avg_comments_per_issue":0.0,"past_year_avg_comments_per_pull_request":0.6,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":13,"past_year_merged_pull_requests_count":14,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/issues","maintainers":[{"login":"flavorjones","count":53,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/flavorjones"},{"login":"akhilgkrishnan","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/akhilgkrishnan"},{"login":"amatsuda","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/amatsuda"}],"active_maintainers":[{"login":"flavorjones","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/flavorjones"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/packages/rails-html-sanitizer/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/packages/rails-html-sanitizer/version_numbers","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/packages/rails-html-sanitizer/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/packages/rails-html-sanitizer/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/packages/rails-html-sanitizer/codemeta","maintainers":[{"uuid":"207","login":"tenderlove","name":null,"email":null,"url":null,"packages_count":190,"html_url":"https://gem.coop/profiles/tenderlove","role":null,"created_at":"2025-10-08T03:46:14.295Z","updated_at":"2025-10-08T03:46:14.295Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/tenderlove/packages"},{"uuid":"1550","login":"webster132","name":null,"email":null,"url":null,"packages_count":82,"html_url":"https://gem.coop/profiles/webster132","role":null,"created_at":"2025-10-08T03:46:14.079Z","updated_at":"2025-10-08T03:46:14.079Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/webster132/packages"},{"uuid":"43998","login":"guilleiguaran","name":null,"email":null,"url":null,"packages_count":85,"html_url":"https://gem.coop/profiles/guilleiguaran","role":null,"created_at":"2025-10-08T03:46:14.124Z","updated_at":"2025-10-08T03:46:14.124Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/guilleiguaran/packages"},{"uuid":"32977","login":"fxn","name":null,"email":null,"url":null,"packages_count":62,"html_url":"https://gem.coop/profiles/fxn","role":null,"created_at":"2025-10-08T03:46:14.185Z","updated_at":"2025-10-08T03:46:14.185Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/fxn/packages"},{"uuid":"429","login":"cantoniodasilva","name":null,"email":null,"url":null,"packages_count":67,"html_url":"https://gem.coop/profiles/cantoniodasilva","role":null,"created_at":"2025-10-08T03:46:14.235Z","updated_at":"2025-10-08T03:46:14.235Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/cantoniodasilva/packages"},{"uuid":"47349","login":"rafaelfranca","name":null,"email":null,"url":null,"packages_count":107,"html_url":"https://gem.coop/profiles/rafaelfranca","role":null,"created_at":"2025-10-08T03:46:13.987Z","updated_at":"2025-10-08T03:46:13.987Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/rafaelfranca/packages"},{"uuid":"337","login":"jeremydaer","name":null,"email":null,"url":null,"packages_count":63,"html_url":"https://gem.coop/profiles/jeremydaer","role":null,"created_at":"2025-10-08T03:46:14.033Z","updated_at":"2025-10-08T03:46:14.033Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/jeremydaer/packages"},{"uuid":"528","login":"matthewd","name":null,"email":null,"url":null,"packages_count":66,"html_url":"https://gem.coop/profiles/matthewd","role":null,"created_at":"2025-10-08T03:46:14.346Z","updated_at":"2025-10-08T03:46:14.346Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/matthewd/packages"},{"uuid":"96878","login":"eileencodes","name":null,"email":null,"url":null,"packages_count":54,"html_url":"https://gem.coop/profiles/eileencodes","role":null,"created_at":"2025-10-08T03:46:14.396Z","updated_at":"2025-10-08T03:46:14.396Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/eileencodes/packages"},{"uuid":"46413","login":"byroot","name":null,"email":null,"url":null,"packages_count":105,"html_url":"https://gem.coop/profiles/byroot","role":null,"created_at":"2025-10-08T03:46:14.442Z","updated_at":"2025-10-08T03:46:14.442Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/byroot/packages"},{"uuid":"43492","login":"jhawthorn","name":null,"email":null,"url":null,"packages_count":150,"html_url":"https://gem.coop/profiles/jhawthorn","role":null,"created_at":"2025-10-08T03:46:14.489Z","updated_at":"2025-10-08T03:46:14.489Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/jhawthorn/packages"},{"uuid":"54617","login":"kamipo","name":null,"email":null,"url":null,"packages_count":61,"html_url":"https://gem.coop/profiles/kamipo","role":null,"created_at":"2025-10-08T03:46:14.536Z","updated_at":"2025-10-08T03:46:14.536Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/kamipo/packages"},{"uuid":"2583","login":"flavorjones","name":null,"email":null,"url":null,"packages_count":48,"html_url":"https://gem.coop/profiles/flavorjones","role":null,"created_at":"2025-10-08T03:46:13.941Z","updated_at":"2025-10-08T03:46:13.941Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/flavorjones/packages"}],"registry":{"name":"gem.coop","url":"https://gem.coop","ecosystem":"rubygems","default":false,"packages_count":190345,"maintainers_count":67465,"namespaces_count":0,"keywords_count":0,"github":"gem-coop","metadata":{"funded_packages_count":6507},"icon_url":"https://github.com/gem-coop.png","created_at":"2025-10-06T17:24:20.932Z","updated_at":"2026-04-03T06:45:05.763Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/packages","maintainers_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers","namespaces_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/namespaces"}},{"id":281551,"name":"rails-html-sanitizer","ecosystem":"rubygems","description":"HTML sanitization for Rails applications","homepage":"https://github.com/rails/rails-html-sanitizer","licenses":"MIT","normalized_licenses":["MIT"],"repository_url":"https://github.com/rails/rails-html-sanitizer","keywords_array":[],"namespace":null,"versions_count":20,"first_release_published_at":"2014-08-19T19:47:15.038Z","latest_release_published_at":"2026-02-24T18:46:02.899Z","latest_release_number":"1.7.0","last_synced_at":"2026-04-28T03:12:16.052Z","created_at":"2022-04-06T08:19:41.033Z","updated_at":"2026-04-28T05:11:57.268Z","registry_url":"https://rubygems.org/gems/rails-html-sanitizer","install_command":"gem install rails-html-sanitizer -s https://rubygems.org","documentation_url":"http://www.rubydoc.info/gems/rails-html-sanitizer/","metadata":{"funding":null},"repo_metadata":{"id":10807221,"uuid":"13080550","full_name":"rails/rails-html-sanitizer","owner":"rails","description":null,"archived":false,"fork":false,"pushed_at":"2024-10-28T18:44:48.000Z","size":335,"stargazers_count":305,"open_issues_count":10,"forks_count":83,"subscribers_count":26,"default_branch":"main","last_synced_at":"2024-10-29T14:14:59.623Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rails.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"MIT-LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2013-09-25T00:54:20.000Z","updated_at":"2024-10-25T02:01:18.000Z","dependencies_parsed_at":"2023-12-02T02:14:53.855Z","dependency_job_id":"9a9117be-2d10-4434-93d8-c22c2b90a76c","html_url":"https://github.com/rails/rails-html-sanitizer","commit_stats":{"total_commits":163,"total_committers":27,"mean_commits":6.037037037037037,"dds":0.6871165644171779,"last_synced_commit":"0c567b4b5a0c237ca880037034d390211b089d5b"},"previous_names":["rafaelfranca/rails-html-sanitizer"],"tags_count":17,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":222088726,"owners_count":16929012,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"rails","name":"Ruby on Rails","uuid":"4223","kind":"organization","description":"","email":null,"website":"https://rubyonrails.org/","location":null,"twitter":null,"company":null,"icon_url":"https://avatars.githubusercontent.com/u/4223?v=4","repositories_count":116,"last_synced_at":"2023-04-09T03:40:20.529Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/rails","funding_links":[],"total_stars":114333,"followers":null,"following":null,"created_at":"2022-11-02T16:17:13.297Z","updated_at":"2023-04-09T03:40:20.550Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails/repositories"},"tags":[{"name":"v1.6.0","sha":"19fd6cd66f31316642e758bf01a410f3fd128f42","kind":"commit","published_at":"2023-05-26T13:20:28.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0/manifests"},{"name":"v1.6.0.rc2","sha":"3b31be5adbf1a351d3acd2527aaa687978caee81","kind":"commit","published_at":"2023-05-24T21:18:26.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.0.rc2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.0.rc2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc2/manifests"},{"name":"v1.6.0.rc1","sha":"5419017d38a5544f8bffd8b23ea67862e4350215","kind":"commit","published_at":"2023-05-24T16:19:29.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.0.rc1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.0.rc1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc1/manifests"},{"name":"v1.5.0","sha":"a337ec8a348b15a5ae52c5698cbf38dbc50bf34d","kind":"commit","published_at":"2023-01-20T18:52:01.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.5.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.5.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.5.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.5.0/manifests"},{"name":"v1.4.4","sha":"fd63deaeb22e601237d4d4d12014e7ebd410ea9b","kind":"commit","published_at":"2022-12-12T22:43:11.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.4","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.4","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.4/manifests"},{"name":"v1.4.3","sha":"f83f08c81a3a33ce0fb1c379933c416ae80672fa","kind":"commit","published_at":"2022-06-09T22:23:09.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.3","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.3","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.3/manifests"},{"name":"v1.4.2","sha":"c86fed1dedb5380a4e46df5b4e8ee2904eac369d","kind":"commit","published_at":"2021-08-24T00:15:05.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.2/manifests"},{"name":"v1.4.1","sha":"b41bc7a9d04190d4237aa263c9a2ff70afbcc5bf","kind":"commit","published_at":"2021-08-18T20:51:54.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.1/manifests"},{"name":"v1.4.0","sha":"2e9ec19859c03c15c912732e5528ea0e8a7326da","kind":"commit","published_at":"2021-08-18T17:10:27.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.0/manifests"},{"name":"v1.3.0","sha":"51dc564c6509201070f72456bb2c13f87bb373d6","kind":"commit","published_at":"2019-10-06T15:12:45.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.3.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.3.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.3.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.3.0/manifests"},{"name":"v1.2.0","sha":"b8ea80d5f840a834a808a2171df3ada524b2a010","kind":"tag","published_at":"2019-08-08T22:04:05.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.2.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.2.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.2.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.2.0/manifests"},{"name":"v1.1.0","sha":"df0c946aa0c1913e9b8e94be96da59fb57ec9d67","kind":"tag","published_at":"2019-08-05T01:14:03.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.1.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.1.0/manifests"},{"name":"v1.0.4","sha":"53bf066ac3a163546a9c7c44c30998c21068c42d","kind":"tag","published_at":"2018-03-22T19:03:40.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.4","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.4","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.4/manifests"},{"name":"v1.0.3","sha":"5c4354db7524b1df891df0a3e29877ce9f7575ca","kind":"tag","published_at":"2016-01-25T18:28:49.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.3","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.3","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.3/manifests"},{"name":"v1.0.2","sha":"4f0f7810fce6c8aa63de07a40d69d6027a30acaf","kind":"tag","published_at":"2015-03-06T23:41:30.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.2/manifests"},{"name":"v1.0.1","sha":"6b14d6a9e11b58253337df95f2b699665cf8b463","kind":"tag","published_at":"2014-09-25T16:05:46.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.1/manifests"},{"name":"v1.0.0","sha":"71d89f668ee103b8a8422155ac61fe9f0754946d","kind":"tag","published_at":"2014-08-19T19:46:56.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.0/manifests"}]},"repo_metadata_updated_at":"2024-10-29T19:53:11.320Z","dependent_packages_count":32,"downloads":653408642,"downloads_period":"total","dependent_repos_count":517903,"rankings":{"downloads":0.03177930665358326,"dependent_repos_count":0.028991648175198764,"dependent_packages_count":0.786119690904428,"stargazers_count":3.308950613842397,"forks_count":2.3667220481484375,"docker_downloads_count":0.1444007091803169,"average":1.1111606694840603},"purl":"pkg:gem/rails-html-sanitizer","advisories":[{"uuid":"GSA_kwCzR0hTQS1yeHY1LWd4cWMteHg4Z84ABB_x","url":"https://github.com/advisories/GHSA-rxv5-gxqc-xx8g","title":"rails-html-sanitizer has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"noscript\" element is explicitly allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow all of these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"noscript\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"noscript\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"noscript\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"noscript\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"noscript\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include \"noscript\" should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"noscript\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2509647\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T22:18:27.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rxv5-gxqc-xx8g","https://nvd.nist.gov/vuln/detail/CVE-2024-53989","https://github.com/rails/rails-html-sanitizer/commit/16251735e36ebdc302e2f90f2a39cad56879414f","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53989.yml","https://github.com/advisories/GHSA-rxv5-gxqc-xx8g"],"source_kind":"github","identifiers":["GHSA-rxv5-gxqc-xx8g","CVE-2024-53989"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T23:06:49.936Z","updated_at":"2026-04-27T16:04:01.076Z","epss_percentage":0.0228,"epss_percentile":0.84726,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yeHY1LWd4cWMteHg4Z84ABB_x","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1yeHY1LWd4cWMteHg4Z84ABB_x","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yeHY1LWd4cWMteHg4Z84ABB_x/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS0yeDVtLTljaDQtcWdycs4ABB_u","url":"https://github.com/advisories/GHSA-2x5m-9ch4-qgrr","title":"rails-html-sanitizer has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"style\" element is explicitly allowed\n- the \"svg\" or \"math\" element is not allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow all of these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"style\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"style\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"style\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"style\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include \"style\" and omit \"svg\" or \"math\" should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"style\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2519936\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T21:48:56.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-2x5m-9ch4-qgrr","https://nvd.nist.gov/vuln/detail/CVE-2024-53987","https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53987.yml","https://github.com/advisories/GHSA-2x5m-9ch4-qgrr"],"source_kind":"github","identifiers":["GHSA-2x5m-9ch4-qgrr","CVE-2024-53987"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T22:07:13.966Z","updated_at":"2026-04-27T16:04:01.077Z","epss_percentage":0.01968,"epss_percentile":0.83587,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yeDVtLTljaDQtcWdycs4ABB_u","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS0yeDVtLTljaDQtcWdycs4ABB_u","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yeDVtLTljaDQtcWdycs4ABB_u/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1jZmp4LXcyMjktaGd4Nc4ABB_t","url":"https://github.com/advisories/GHSA-cfjx-w229-hgx5","title":"rails-html-sanitizer has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"math\", \"mtext\", \"table\", and \"style\" elements are allowed\n- and either \"mglyph\" or \"malignmark\" are allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow all of these elements except for \"table\". Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"]\n  # or\n  config.action_view.sanitized_allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"] %\u003e\n  \u003c%# or %\u003e\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"]\n  # or\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"])\n  # or\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"]\n  # or\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include (\"math\" and \"mtext\" and \"table\" and \"style\" and (\"mglyph\" or \"malignmark\")) should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"mglyph\" and \"malignmark\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2519936\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T21:48:42.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5","https://nvd.nist.gov/vuln/detail/CVE-2024-53988","https://github.com/rails/rails-html-sanitizer/commit/a0a3e8b76b696446ffc6bffcff3bc7b7c6393c72","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53988.yml","https://github.com/advisories/GHSA-cfjx-w229-hgx5"],"source_kind":"github","identifiers":["GHSA-cfjx-w229-hgx5","CVE-2024-53988"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T22:07:14.020Z","updated_at":"2026-04-27T16:04:01.077Z","epss_percentage":0.0228,"epss_percentile":0.84726,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jZmp4LXcyMjktaGd4Nc4ABB_t","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1jZmp4LXcyMjktaGd4Nc4ABB_t","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jZmp4LXcyMjktaGd4Nc4ABB_t/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS02MzhqLXBtanctanE0OM4ABB_s","url":"https://github.com/advisories/GHSA-638j-pmjw-jq48","title":"rails-html-sanitizer has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"math\" and \"style\" elements are both explicitly allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"style\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"style\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"style\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"style\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include both \"math\" and \"style\" should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"math\" or \"style\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2519941\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T21:48:24.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-638j-pmjw-jq48","https://nvd.nist.gov/vuln/detail/CVE-2024-53986","https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53986.yml","https://github.com/advisories/GHSA-638j-pmjw-jq48"],"source_kind":"github","identifiers":["GHSA-638j-pmjw-jq48","CVE-2024-53986"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T22:07:14.065Z","updated_at":"2026-04-27T16:04:01.078Z","epss_percentage":0.02649,"epss_percentile":0.85796,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02MzhqLXBtanctanE0OM4ABB_s","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS02MzhqLXBtanctanE0OM4ABB_s","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02MzhqLXBtanctanE0OM4ABB_s/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS13OGdjLXgyNTktcmM3eM4ABB_r","url":"https://github.com/advisories/GHSA-w8gc-x259-rc7x","title":"rails-html-sanitize has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0 and Nokogiri \u003c 1.15.7, or 1.16.x \u003c 1.16.8.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\nPlease note that the fix in v1.6.1 is to update the dependency on Nokogiri to 1.15.7 or \u003e= 1.16.8.\n\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in either of the following ways:\n\n* allow both \"math\" and \"style\" elements\n* or allow both \"svg\" and \"style\" elements\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nCode is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"style\"]\n  # or\n  config.action_view.sanitized_allowed_tags = [\"svg\", \"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"style\"] %\u003e\n  \u003c%# or %\u003e\n  \u003c%= sanitize @comment.body, tags: [\"svg\", \"style\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"style\"]\n  # or\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"svg\", \"style\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"style\"])\n  # or\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"svg\", \"style\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"style\"]\n  # or\n  ActionText::ContentHelper.allowed_tags = [\"svg\", \"style\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include ((\"math\" or \"svg\") and \"style\") should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"style\" from the overridden allowed tags,\n- Or, remove \"math\" and \"svg\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information)\n- Or, independently upgrade Nokogiri to v1.15.7 or \u003e= 1.16.8.\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2503220\n\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T21:48:14.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x","https://nvd.nist.gov/vuln/detail/CVE-2024-53985","https://github.com/rails/rails-html-sanitizer/commit/b0220b8850d52199a15f83c472d175a4122dd7b1","https://github.com/rails/rails-html-sanitizer/commit/cd18b0ef00aad1d4a9e1c5d860cd23f80f63c505","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53985.yml","https://github.com/advisories/GHSA-w8gc-x259-rc7x"],"source_kind":"github","identifiers":["GHSA-w8gc-x259-rc7x","CVE-2024-53985"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T22:07:14.111Z","updated_at":"2026-04-27T16:04:01.078Z","epss_percentage":0.02195,"epss_percentile":0.84452,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13OGdjLXgyNTktcmM3eM4ABB_r","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS13OGdjLXgyNTktcmM3eM4ABB_r","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13OGdjLXgyNTktcmM3eM4ABB_r/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1ycmZjLTdnOHAtOTlxOM4AAwSi","url":"https://github.com/advisories/GHSA-rrfc-7g8p-99q8","title":"Possible XSS vulnerability with certain configurations of rails-html-sanitizer","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209.\n\n- Versions affected: ALL\n- Not affected: NONE\n- Fixed versions: 1.4.4\n\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both \"select\" and \"style\" elements.\n\nCode is only impacted if allowed tags are being overridden using either of the following two mechanisms:\n\n1. Using the Rails configuration `config.action_view.sanitized_allow_tags=`:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"select\", \"style\"]\n  ```\n\n  (see https://guides.rubyonrails.org/configuring.html#configuring-action-view)\n\n2. Using the class method `Rails::Html::SafeListSanitizer.allowed_tags=`:\n\n  ```ruby\n  # class-level option\n  Rails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]\n  ```\n\nAll users overriding the allowed tags by either of the above mechanisms to include both \"select\" and \"style\" should either upgrade or use one of the workarounds immediately.\n\nNOTE: Code is _not_ impacted if allowed tags are overridden using either of the following mechanisms:\n\n- the `:tags` option to the Action View helper method `sanitize`.\n- the `:tags` option to the instance method `SafeListSanitizer#sanitize`.\n\n\n## Workarounds\n\nRemove either \"select\" or \"style\" from the overridden allowed tags.\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32209\n- https://hackerone.com/reports/1654310\n\n\n## Credit\n\nThis vulnerability was responsibly reported by Dominic Breuker.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-12-13T17:51:40.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8","https://hackerone.com/reports/1654310","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23520.yml","https://nvd.nist.gov/vuln/detail/CVE-2022-23520","https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://github.com/advisories/GHSA-rrfc-7g8p-99q8"],"source_kind":"github","identifiers":["GHSA-rrfc-7g8p-99q8","CVE-2022-23520"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:11:45.390Z","updated_at":"2026-04-23T10:08:35.742Z","epss_percentage":0.00335,"epss_percentile":0.56303,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ycmZjLTdnOHAtOTlxOM4AAwSi","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1ycmZjLTdnOHAtOTlxOM4AAwSi","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.4","vulnerable_version_range":"\u003c 1.4.4"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ycmZjLTdnOHAtOTlxOM4AAwSi/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS05aDlnLTkzZ2MtNjIzaM4AAwSh","url":"https://github.com/advisories/GHSA-9h9g-93gc-623h","title":"Possible XSS vulnerability with certain configurations of rails-html-sanitizer","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.\n\n- Versions affected: ALL\n- Not affected: NONE\n- Fixed versions: 1.4.4\n\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways:\n\n- allow both \"math\" and \"style\" elements,\n- or allow both \"svg\" and \"style\" elements\n\nCode is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways:\n\n1. using application configuration:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"style\"]\n  # or\n  config.action_view.sanitized_allowed_tags = [\"svg\", \"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"style\"] %\u003e\n  \u003c%# or %\u003e\n  \u003c%= sanitize @comment.body, tags: [\"svg\", \"style\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. using Rails::Html::SafeListSanitizer class method `allowed_tags=`:\n\n  ```ruby\n  # class-level option\n  Rails::Html::SafeListSanitizer.allowed_tags = [\"math\", \"style\"]\n  # or\n  Rails::Html::SafeListSanitizer.allowed_tags = [\"svg\", \"style\"]\n  ```\n\n4. using a `:tags` options to the Rails::Html::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"style\"])\n  # or\n  Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"svg\", \"style\"])\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include ((\"math\" or \"svg\") and \"style\") should either upgrade or use one of the workarounds immediately.\n\n\n## Workarounds\n\nRemove \"style\" from the overridden allowed tags, or remove \"math\" and \"svg\" from the overridden allowed tags.\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- https://hackerone.com/reports/1656627\n\n\n## Credit\n\nThis vulnerability was responsibly reported by Dominic Breuker.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-12-13T17:50:25.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h","https://hackerone.com/reports/1656627","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23519.yml","https://nvd.nist.gov/vuln/detail/CVE-2022-23519","https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://github.com/advisories/GHSA-9h9g-93gc-623h"],"source_kind":"github","identifiers":["GHSA-9h9g-93gc-623h","CVE-2022-23519"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:11:45.399Z","updated_at":"2026-04-23T10:08:35.742Z","epss_percentage":0.00148,"epss_percentile":0.35344,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05aDlnLTkzZ2MtNjIzaM4AAwSh","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS05aDlnLTkzZ2MtNjIzaM4AAwSh","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.4","vulnerable_version_range":"\u003c 1.4.4"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05aDlnLTkzZ2MtNjIzaM4AAwSh/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1tY3ZmLTJxMm0teDcybc4AAwSg","url":"https://github.com/advisories/GHSA-mcvf-2q2m-x72m","title":"Improper neutralization of data URIs may allow XSS in rails-html-sanitizer","description":"## Summary\n\nrails-html-sanitizer `\u003e= 1.0.3, \u003c 1.4.4` is vulnerable to cross-site scripting via data URIs when used in combination with Loofah `\u003e= 2.1.0`.\n\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `\u003e= 1.4.4`.\n\n\n## Severity\n\nThe maintainers have evaluated this as [Medium Severity 6.1](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- [SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg](https://github.com/w3c/svgwg/issues/266)\n- https://github.com/rails/rails-html-sanitizer/issues/135\n- https://hackerone.com/reports/1694173\n\n\n## Credit\n\nThis vulnerability was independently reported by Maciej Piechota (@haqpl) and Mrinmoy Das (@goromlagche).","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-12-13T17:45:39.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m","https://github.com/rails/rails-html-sanitizer/issues/135","https://github.com/w3c/svgwg/issues/266","https://hackerone.com/reports/1694173","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23518.yml","https://nvd.nist.gov/vuln/detail/CVE-2022-23518","https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://github.com/advisories/GHSA-mcvf-2q2m-x72m"],"source_kind":"github","identifiers":["GHSA-mcvf-2q2m-x72m","CVE-2022-23518"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:11:45.408Z","updated_at":"2026-04-28T05:08:06.913Z","epss_percentage":0.00269,"epss_percentile":0.50405,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tY3ZmLTJxMm0teDcybc4AAwSg","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1tY3ZmLTJxMm0teDcybc4AAwSg","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.4","vulnerable_version_range":"\u003e= 1.0.3, \u003c 1.4.4"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":652973764,"downloads_period":"total"},"affected_versions":["1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3"],"unaffected_versions":["1.0.0","1.0.1","1.0.2","1.4.4","1.5.0","1.6.0","1.6.0.rc1","1.6.0.rc2","1.6.1","1.6.2","1.7.0"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tY3ZmLTJxMm0teDcybc4AAwSg/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS01eDc5LXc4MmYtZ3c4d84AAwSf","url":"https://github.com/advisories/GHSA-5x79-w82f-gw8w","title":"Inefficient Regular Expression Complexity in rails-html-sanitizer","description":"## Summary\n\nCertain configurations of rails-html-sanitizer `\u003c 1.4.4` use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.\n\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `\u003e= 1.4.4`.\n\n\n## Severity\n\nThe maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n\n## References\n\n- [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html)\n- https://hackerone.com/reports/1684163\n\n\n## Credit\n\nThis vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2022-12-13T17:43:02.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w","https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979","https://hackerone.com/reports/1684163","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23517.yml","https://nvd.nist.gov/vuln/detail/CVE-2022-23517","https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://github.com/advisories/GHSA-5x79-w82f-gw8w"],"source_kind":"github","identifiers":["GHSA-5x79-w82f-gw8w","CVE-2022-23517"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:11:45.416Z","updated_at":"2026-04-23T10:07:10.386Z","epss_percentage":0.00256,"epss_percentile":0.49008,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01eDc5LXc4MmYtZ3c4d84AAwSf","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS01eDc5LXc4MmYtZ3c4d84AAwSf","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.4","vulnerable_version_range":"\u003c 1.4.4"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01eDc5LXc4MmYtZ3c4d84AAwSf/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1wZzh2LWc0eHEtaHd3Oc4AAs-c","url":"https://github.com/advisories/GHSA-pg8v-g4xq-hww9","title":"Rails::Html::Sanitizer vulnerable to Cross-site Scripting","description":"Versions of Rails::Html::Sanitizer prior to version 1.4.3 are vulnerable to XSS with certain configurations of Rails::Html::Sanitizer which  allows an attacker to inject content when the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements. Code is only impacted if allowed tags are being overridden. \n\nThis may be done via application configuration: ```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = [\"select\", \"style\"]```\n\nsee https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\nOr it may be done with a `:tags` option to the Action View helper `sanitize`: ```\u003c%= sanitize @comment.body, tags: [\"select\", \"style\"] %\u003e``` \n\nsee https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize \n\nIt may also be done with Rails::Html::SafeListSanitizer directly: \n```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]```  or with\n```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"select\", \"style\"])```\n\nAll users overriding the allowed tags by any of the above mechanisms to include both \"select\" and \"style\" are recommended to upgrade immediately. A workaround for this issue can be applied by removing either `select` or `style` from the overridden allowed tags.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-06-25T00:00:54.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","references":["https://nvd.nist.gov/vuln/detail/CVE-2022-32209","https://hackerone.com/reports/1530898","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-32209.yml","https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s","https://lists.debian.org/debian-lts-announce/2022/12/msg00012.html","https://github.com/rails/rails-html-sanitizer/commit/45a5c10fed3d9aa141594c80afa06d748fa0967d","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47","https://github.com/advisories/GHSA-pg8v-g4xq-hww9"],"source_kind":"github","identifiers":["GHSA-pg8v-g4xq-hww9","CVE-2022-32209"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:12:14.237Z","updated_at":"2026-04-23T10:06:59.655Z","epss_percentage":0.04566,"epss_percentile":0.89178,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wZzh2LWc0eHEtaHd3Oc4AAs-c","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1wZzh2LWc0eHEtaHd3Oc4AAs-c","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.3","vulnerable_version_range":"\u003c 1.4.3"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wZzh2LWc0eHEtaHd3Oc4AAs-c/related_packages","related_advisories":[]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTc3cGMtcTVxNy1xZzlo","url":"https://github.com/advisories/GHSA-77pc-q5q7-qg9h","title":"Moderate severity vulnerability that affects rails-html-sanitizer","description":"Withdrawn, accidental duplicate publish.\r\n\r\nCross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2018-09-17T21:58:30.000Z","withdrawn_at":"2020-06-16T21:21:56.000Z","classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7580","https://github.com/advisories/GHSA-77pc-q5q7-qg9h"],"source_kind":"github","identifiers":["GHSA-77pc-q5q7-qg9h"],"repository_url":null,"blast_radius":0.0,"created_at":"2022-12-21T16:13:36.116Z","updated_at":"2026-04-28T05:10:38.323Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTc3cGMtcTVxNy1xZzlo","html_url":"https://advisories.ecosyste.ms/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTc3cGMtcTVxNy1xZzlo","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTc3cGMtcTVxNy1xZzlo/related_packages","related_advisories":[]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1yaGotMmc0di0zOXF4","url":"https://github.com/advisories/GHSA-mrhj-2g4v-39qx","title":"Moderate severity vulnerability that affects rails-html-sanitizer","description":"Withdrawn, accidental duplicate publish.\r\n\r\nCross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2018-09-17T21:58:19.000Z","withdrawn_at":"2020-06-16T21:47:07.000Z","classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7579","https://github.com/advisories/GHSA-mrhj-2g4v-39qx"],"source_kind":"github","identifiers":["GHSA-mrhj-2g4v-39qx"],"repository_url":null,"blast_radius":0.0,"created_at":"2022-12-21T16:13:36.125Z","updated_at":"2026-04-28T05:10:38.324Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1yaGotMmc0di0zOXF4","html_url":"https://advisories.ecosyste.ms/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1yaGotMmc0di0zOXF4","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"= 1.0.2"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1yaGotMmc0di0zOXF4/related_packages","related_advisories":[]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFjOGotbThqMy1yanE2","url":"https://github.com/advisories/GHSA-qc8j-m8j3-rjq6","title":"Moderate severity vulnerability that affects rails-html-sanitizer","description":"Withdrawn, accidental duplicate publish.\r\n\r\nCross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2018-09-17T21:57:58.000Z","withdrawn_at":"2020-06-17T15:15:01.000Z","classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7578","https://github.com/advisories/GHSA-qc8j-m8j3-rjq6"],"source_kind":"github","identifiers":["GHSA-qc8j-m8j3-rjq6"],"repository_url":null,"blast_radius":0.0,"created_at":"2022-12-21T16:13:36.134Z","updated_at":"2026-04-28T05:10:38.324Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFjOGotbThqMy1yanE2","html_url":"https://advisories.ecosyste.ms/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFjOGotbThqMy1yanE2","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFjOGotbThqMy1yanE2/related_packages","related_advisories":[]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB4M3Itam05Zy1jOHc4","url":"https://github.com/advisories/GHSA-px3r-jm9g-c8w8","title":"rails-html-sanitizer Cross-site Scripting vulnerability","description":"There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2018-04-26T15:41:10.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","references":["https://nvd.nist.gov/vuln/detail/CVE-2018-3741","https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae","https://github.com/advisories/GHSA-px3r-jm9g-c8w8"],"source_kind":"github","identifiers":["GHSA-px3r-jm9g-c8w8","CVE-2018-3741"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:13:37.288Z","updated_at":"2026-04-28T05:10:39.553Z","epss_percentage":0.00129,"epss_percentile":0.32201,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB4M3Itam05Zy1jOHc4","html_url":"https://advisories.ecosyste.ms/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB4M3Itam05Zy1jOHc4","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.4","vulnerable_version_range":"\u003c 1.0.4"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB4M3Itam05Zy1jOHc4/related_packages","related_advisories":[]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI5YzItY3IzOS1jOGc2","url":"https://github.com/advisories/GHSA-r9c2-cr39-c8g6","title":"rails-html-sanitizer Cross-site Scripting vulnerability","description":"Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the `Rails::Html::FullSanitizer` class.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2017-10-24T18:33:36.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.1,"cvss_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7579","https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f","https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ","http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html","http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html","http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html","http://www.openwall.com/lists/oss-security/2016/01/25/12","https://web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816","https://github.com/advisories/GHSA-r9c2-cr39-c8g6"],"source_kind":"github","identifiers":["GHSA-r9c2-cr39-c8g6","CVE-2015-7579"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:13:39.175Z","updated_at":"2026-04-28T05:10:41.516Z","epss_percentage":0.00166,"epss_percentile":0.37424,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI5YzItY3IzOS1jOGc2","html_url":"https://advisories.ecosyste.ms/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI5YzItY3IzOS1jOGc2","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI5YzItY3IzOS1jOGc2/related_packages","related_advisories":[]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU5YzctNHhqMi1oZ3Z3","url":"https://github.com/advisories/GHSA-59c7-4xj2-hgvw","title":"rails-html-sanitizer Cross-site Scripting vulnerability","description":"Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2017-10-24T18:33:36.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.1,"cvss_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7578","https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4","https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ","http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html","http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html","http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html","http://www.openwall.com/lists/oss-security/2016/01/25/11","https://web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816","https://github.com/advisories/GHSA-59c7-4xj2-hgvw"],"source_kind":"github","identifiers":["GHSA-59c7-4xj2-hgvw","CVE-2015-7578"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:13:39.165Z","updated_at":"2026-04-28T05:10:41.516Z","epss_percentage":0.00166,"epss_percentile":0.37424,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU5YzctNHhqMi1oZ3Z3","html_url":"https://advisories.ecosyste.ms/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU5YzctNHhqMi1oZ3Z3","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU5YzctNHhqMi1oZ3Z3/related_packages","related_advisories":[]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdocW0tcGd4ai0zN2dx","url":"https://github.com/advisories/GHSA-ghqm-pgxj-37gq","title":"rails-html-sanitizer Cross-site Scripting vulnerability","description":"Cross-site scripting (XSS) vulnerability in `lib/rails/html/scrubbers.rb` in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2017-10-24T18:33:36.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.1,"cvss_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7580","https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78","https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html","http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html","http://www.openwall.com/lists/oss-security/2016/01/25/15","https://web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816","https://github.com/advisories/GHSA-ghqm-pgxj-37gq"],"source_kind":"github","identifiers":["GHSA-ghqm-pgxj-37gq","CVE-2015-7580"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:13:39.185Z","updated_at":"2026-04-28T05:10:41.517Z","epss_percentage":0.00163,"epss_percentile":0.37457,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdocW0tcGd4ai0zN2dx","html_url":"https://advisories.ecosyste.ms/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdocW0tcGd4ai0zN2dx","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdocW0tcGd4ai0zN2dx/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/rubygems/rails-html-sanitizer","docker_dependents_count":1354,"docker_downloads_count":821064172,"usage_url":"https://repos.ecosyste.ms/usage/rubygems/rails-html-sanitizer","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/rubygems/rails-html-sanitizer/dependencies","status":null,"funding_links":[],"critical":true,"issue_metadata":{"last_synced_at":"2024-10-29T17:32:32.376Z","issues_count":44,"pull_requests_count":91,"avg_time_to_close_issue":19941641.275,"avg_time_to_close_pull_request":804236.1627906977,"issues_closed_count":40,"pull_requests_closed_count":86,"pull_request_authors_count":45,"issue_authors_count":40,"avg_comments_per_issue":4.204545454545454,"avg_comments_per_pull_request":1.3076923076923077,"merged_pull_requests_count":64,"bot_issues_count":0,"bot_pull_requests_count":4,"past_year_issues_count":2,"past_year_pull_requests_count":19,"past_year_avg_time_to_close_issue":null,"past_year_avg_time_to_close_pull_request":117000.9375,"past_year_issues_closed_count":0,"past_year_pull_requests_closed_count":16,"past_year_pull_request_authors_count":11,"past_year_issue_authors_count":1,"past_year_avg_comments_per_issue":0.5,"past_year_avg_comments_per_pull_request":0.6842105263157895,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":4,"past_year_merged_pull_requests_count":16,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/issues","maintainers":[{"login":"flavorjones","count":40,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/flavorjones"},{"login":"akhilgkrishnan","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/akhilgkrishnan"},{"login":"amatsuda","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/amatsuda"}],"active_maintainers":[{"login":"flavorjones","count":8,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/flavorjones"},{"login":"akhilgkrishnan","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/akhilgkrishnan"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/packages/rails-html-sanitizer/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/packages/rails-html-sanitizer/version_numbers","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/packages/rails-html-sanitizer/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/packages/rails-html-sanitizer/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/packages/rails-html-sanitizer/codemeta","maintainers":[{"uuid":"43492","login":"jhawthorn","name":null,"email":null,"url":null,"packages_count":150,"html_url":"https://rubygems.org/profiles/jhawthorn","role":null,"created_at":"2022-11-09T09:46:58.693Z","updated_at":"2022-11-09T09:46:58.693Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/jhawthorn/packages"},{"uuid":"207","login":"tenderlove","name":null,"email":null,"url":null,"packages_count":189,"html_url":"https://rubygems.org/profiles/tenderlove","role":null,"created_at":"2022-11-09T09:46:58.885Z","updated_at":"2022-11-09T09:46:58.885Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/tenderlove/packages"},{"uuid":"54617","login":"kamipo","name":null,"email":null,"url":null,"packages_count":61,"html_url":"https://rubygems.org/profiles/kamipo","role":null,"created_at":"2022-11-09T09:46:58.685Z","updated_at":"2022-11-09T09:46:58.685Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/kamipo/packages"},{"uuid":"46413","login":"byroot","name":null,"email":null,"url":null,"packages_count":103,"html_url":"https://rubygems.org/profiles/byroot","role":null,"created_at":"2022-11-09T09:46:58.728Z","updated_at":"2022-11-09T09:46:58.728Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/byroot/packages"},{"uuid":"1550","login":"webster132","name":null,"email":null,"url":null,"packages_count":81,"html_url":"https://rubygems.org/profiles/webster132","role":null,"created_at":"2022-11-09T09:46:58.812Z","updated_at":"2022-11-09T09:46:58.812Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/webster132/packages"},{"uuid":"43998","login":"guilleiguaran","name":null,"email":null,"url":null,"packages_count":85,"html_url":"https://rubygems.org/profiles/guilleiguaran","role":null,"created_at":"2022-11-09T09:46:58.823Z","updated_at":"2022-11-09T09:46:58.823Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/guilleiguaran/packages"},{"uuid":"32977","login":"fxn","name":null,"email":null,"url":null,"packages_count":61,"html_url":"https://rubygems.org/profiles/fxn","role":null,"created_at":"2022-11-09T09:46:58.849Z","updated_at":"2022-11-09T09:46:58.849Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/fxn/packages"},{"uuid":"429","login":"cantoniodasilva","name":null,"email":null,"url":null,"packages_count":67,"html_url":"https://rubygems.org/profiles/cantoniodasilva","role":null,"created_at":"2022-11-09T09:46:58.875Z","updated_at":"2022-11-09T09:46:58.875Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/cantoniodasilva/packages"},{"uuid":"47349","login":"rafaelfranca","name":null,"email":null,"url":null,"packages_count":120,"html_url":"https://rubygems.org/profiles/rafaelfranca","role":null,"created_at":"2022-11-09T09:46:58.766Z","updated_at":"2022-11-09T09:46:58.766Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/rafaelfranca/packages"},{"uuid":"337","login":"jeremydaer","name":null,"email":null,"url":null,"packages_count":68,"html_url":"https://rubygems.org/profiles/jeremydaer","role":null,"created_at":"2022-11-09T09:46:58.789Z","updated_at":"2022-11-09T09:46:58.789Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/jeremydaer/packages"},{"uuid":"528","login":"matthewd","name":null,"email":null,"url":null,"packages_count":66,"html_url":"https://rubygems.org/profiles/matthewd","role":null,"created_at":"2022-11-09T09:46:58.892Z","updated_at":"2022-11-09T09:46:58.892Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/matthewd/packages"},{"uuid":"96878","login":"eileencodes","name":null,"email":null,"url":null,"packages_count":53,"html_url":"https://rubygems.org/profiles/eileencodes","role":null,"created_at":"2022-11-09T09:46:58.911Z","updated_at":"2022-11-09T09:46:58.911Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/eileencodes/packages"},{"uuid":"2583","login":"flavorjones","name":null,"email":null,"url":null,"packages_count":48,"html_url":"https://rubygems.org/profiles/flavorjones","role":null,"created_at":"2022-11-09T09:46:58.743Z","updated_at":"2022-11-09T09:46:58.743Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/flavorjones/packages"}],"registry":{"name":"rubygems.org","url":"https://rubygems.org","ecosystem":"rubygems","default":true,"packages_count":205492,"maintainers_count":68457,"namespaces_count":0,"keywords_count":0,"github":"rubygems","metadata":{"funded_packages_count":7260},"icon_url":"https://github.com/rubygems.png","created_at":"2022-04-04T15:19:23.446Z","updated_at":"2026-04-03T06:42:17.024Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/packages","maintainers_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers","namespaces_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/namespaces"}},{"id":13669402,"name":"ruby-rails-html-sanitizer","ecosystem":"debian","description":null,"homepage":"https://github.com/rails/rails-html-sanitizer","licenses":null,"normalized_licenses":[],"repository_url":"https://github.com/rails/rails-html-sanitizer","keywords_array":["misc"],"namespace":"main","versions_count":1,"first_release_published_at":"2026-02-12T12:40:37.168Z","latest_release_published_at":"2026-02-12T12:40:37.168Z","latest_release_number":"1.6.2-1","last_synced_at":"2026-03-14T18:11:06.336Z","created_at":"2026-02-12T12:40:36.958Z","updated_at":"2026-03-14T18:11:06.336Z","registry_url":"https://tracker.debian.org/pkg/ruby-rails-html-sanitizer","install_command":"apt-get install ruby-rails-html-sanitizer","documentation_url":"https://packages.debian.org/trixie/ruby-rails-html-sanitizer","metadata":{"component":"main","architecture":"all","priority":"optional","binary":"ruby-rails-html-sanitizer","standards_version":"4.7.0","maintainer":"Debian Ruby Team \u003cpkg-ruby-extras-maintainers@lists.alioth.debian.org\u003e","build_depends":"debhelper-compat (= 13), gem2deb (\u003e= 1), rake, ruby-loofah (\u003e= 2.21), ruby-nokogiri (\u003e= 1.17~)","build_depends_indep":null,"build_depends_arch":null},"repo_metadata":{},"repo_metadata_updated_at":"2026-02-12T12:40:37.225Z","dependent_packages_count":0,"downloads":null,"downloads_period":null,"dependent_repos_count":0,"rankings":{"downloads":null,"dependent_repos_count":0.0,"dependent_packages_count":0.0,"stargazers_count":null,"forks_count":null,"docker_downloads_count":null,"average":100},"purl":"pkg:deb/debian/ruby-rails-html-sanitizer?arch=source\u0026distro=debian-13\u0026repository_url=https://packages.debian.org/trixie","advisories":[],"docker_usage_url":"https://docker.ecosyste.ms/usage/debian/ruby-rails-html-sanitizer","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/debian/ruby-rails-html-sanitizer","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/debian/ruby-rails-html-sanitizer/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":null,"versions_url":"https://packages.ecosyste.ms/api/v1/registries/debian-13/packages/ruby-rails-html-sanitizer/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/debian-13/packages/ruby-rails-html-sanitizer/version_numbers","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/debian-13/packages/ruby-rails-html-sanitizer/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/debian-13/packages/ruby-rails-html-sanitizer/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/debian-13/packages/ruby-rails-html-sanitizer/codemeta","maintainers":[],"registry":{"name":"debian-13","url":"https://packages.debian.org/trixie","ecosystem":"debian","default":false,"packages_count":38024,"maintainers_count":0,"namespaces_count":4,"keywords_count":0,"github":"debian","metadata":{"codename":"trixie"},"icon_url":"https://github.com/debian.png","created_at":"2026-02-04T11:01:50.448Z","updated_at":"2026-04-27T18:20:39.853Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/debian-13/packages","maintainers_url":"https://packages.ecosyste.ms/api/v1/registries/debian-13/maintainers","namespaces_url":"https://packages.ecosyste.ms/api/v1/registries/debian-13/namespaces"}}],"commits":{"id":19424,"full_name":"rails/rails-html-sanitizer","default_branch":"main","total_commits":246,"total_committers":34,"total_bot_commits":11,"total_bot_committers":1,"mean_commits":7.235294117647059,"dds":0.5731707317073171,"past_year_total_commits":7,"past_year_total_committers":2,"past_year_total_bot_commits":3,"past_year_total_bot_committers":1,"past_year_mean_commits":3.5,"past_year_dds":0.4285714285714286,"last_synced_at":"2026-04-20T06:01:13.260Z","last_synced_commit":"a8a04134d77f765a166188ef0850369adb6686ab","created_at":"2023-03-07T11:41:00.271Z","updated_at":"2026-04-20T06:00:44.958Z","committers":[{"name":"Mike Dalessio","email":"mike.dalessio@gmail.com","login":"flavorjones","count":105},{"name":"Timm","email":"kaspth@gmail.com","login":"kaspth","count":51},{"name":"Rafael Mendonça França","email":"rafael.franca@plataformatec.com.br","login":null,"count":21},{"name":"dependabot[bot]","email":"49699333+dependabot[bot]","login":"dependabot[bot]","count":11},{"name":"Juanito Fatas","email":"juanito.fatas@shopify.com","login":null,"count":7},{"name":"Akira Matsuda","email":"ronnie@dio.jp","login":"amatsuda","count":6},{"name":"Rafael Mendonça França","email":"rafaelmfranca@gmail.com","login":"rafaelfranca","count":6},{"name":"Rafael Mendonça França + Kasper Timm Hansen","email":"rafaelmfranca+kaspth@gmail.com","login":null,"count":5},{"name":"Godfrey Chan","email":"godfreykfc@gmail.com","login":"chancancode","count":3},{"name":"Fabian Schwahn","email":"fabian.schwahn@gmail.com","login":"fschwahn","count":3},{"name":"Aaron Patterson","email":"aaron.patterson@gmail.com","login":"tenderlove","count":2},{"name":"Nicolas Leger","email":"nicolasleger","login":"nicolasleger","count":2},{"name":"m-nakamura145","email":"masato.nakamura145@gmail.com","login":"m-nakamura145","count":2},{"name":"seyerian","email":"seyerian@pm.me","login":"seyerian","count":2},{"name":"Akhil G Krishnan","email":"akhilgkrishnan4u@gmail.com","login":"akhilgkrishnan","count":1},{"name":"George Claghorn","email":"george@basecamp.com","login":"georgeclaghorn","count":1},{"name":"Igor Victor","email":"gogainda@yandex.ru","login":"gogainda","count":1},{"name":"yui-knk","email":"spiketeika@gmail.com","login":"yui-knk","count":1},{"name":"rwojnarowski","email":"radziu92@gmail.com","login":"rwojnarowski","count":1},{"name":"maclover7","email":"me@jonathanmoss.me","login":"maclover7","count":1},{"name":"Trevor John","email":"trevor@john.tj","login":"trevorrjohn","count":1},{"name":"Tebs","email":"qatrera@gmail.com","login":"tebs","count":1},{"name":"Sean Doyle","email":"seanpdoyle","login":"seanpdoyle","count":1},{"name":"Robb Shecter","email":"robb@public.law","login":"dogweather","count":1},{"name":"Pavel Valena","email":"pvalena@redhat.com","login":"pvalena","count":1},{"name":"Paul Mesnilgrente","email":"web@paul-mesnilgrente.com","login":"paul-mesnilgrente","count":1},{"name":"Orien Madgwick","email":"_@orien.io","login":"orien","count":1},{"name":"Olle Jonsson","email":"olle.jonsson@gmail.com","login":"olleolleolle","count":1},{"name":"Neo Elit","email":"neo.999networks@gmail.com","login":"NeoElit","count":1},{"name":"Katsuhiko YOSHIDA","email":"claddvd@gmail.com","login":"kyoshidajp","count":1},{"name":"Juanito Fatas","email":"katehuang0320@gmail.com","login":"JuanitoFatas","count":1},{"name":"Josh Goodall","email":"inopinatus@inopinatus.org","login":"inopinatus","count":1},{"name":"John Weir","email":"john.weir@pharos-ei.com","login":"jweir","count":1},{"name":"John Bampton","email":"jbampton@gmail.com","login":"jbampton","count":1}],"past_year_committers":[{"name":"Mike Dalessio","email":"mike.dalessio@gmail.com","login":"flavorjones","count":4},{"name":"dependabot[bot]","email":"49699333+dependabot[bot]","login":"dependabot[bot]","count":3}],"commits_url":"https://commits.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/commits","host":{"name":"GitHub","url":"https://github.com","kind":"github","last_synced_at":"2026-04-21T00:00:07.949Z","repositories_count":6215268,"commits_count":899447002,"contributors_count":34906382,"owners_count":1143777,"icon_url":"https://github.com/github.png","host_url":"https://commits.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://commits.ecosyste.ms/api/v1/hosts/GitHub/repositories"}},"issues_stats":{"full_name":"rails/rails-html-sanitizer","html_url":"https://github.com/rails/rails-html-sanitizer","last_synced_at":"2026-02-27T05:02:13.625Z","status":"active","issues_count":47,"pull_requests_count":133,"avg_time_to_close_issue":19457960.85365854,"avg_time_to_close_pull_request":1837195.9674796748,"issues_closed_count":41,"pull_requests_closed_count":123,"pull_request_authors_count":47,"issue_authors_count":42,"avg_comments_per_issue":4.085106382978723,"avg_comments_per_pull_request":1.1052631578947367,"merged_pull_requests_count":95,"bot_issues_count":0,"bot_pull_requests_count":22,"past_year_issues_count":2,"past_year_pull_requests_count":20,"past_year_avg_time_to_close_issue":null,"past_year_avg_time_to_close_pull_request":1117208.8125,"past_year_issues_closed_count":0,"past_year_pull_requests_closed_count":16,"past_year_pull_request_authors_count":4,"past_year_issue_authors_count":2,"past_year_avg_comments_per_issue":0.0,"past_year_avg_comments_per_pull_request":0.6,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":13,"past_year_merged_pull_requests_count":14,"created_at":"2023-05-12T15:47:20.626Z","updated_at":"2026-02-27T05:02:13.626Z","repository_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer","issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/issues","issue_labels_count":{"enhancement":2,"topic/html5":1},"pull_request_labels_count":{"dependencies":22,"ruby":11},"issue_author_associations_count":{"NONE":41,"MEMBER":4,"CONTRIBUTOR":2},"pull_request_author_associations_count":{"MEMBER":52,"CONTRIBUTOR":46,"NONE":35},"issue_authors":{"flavorjones":4,"archonic":2,"naitoh":2,"paul-mesnilgrente":1,"vividtone":1,"jorg-vr":1,"jackphelps":1,"moritzhoeppner":1,"mm580486":1,"puneet-sutar":1,"Sim4n6":1,"srecnig":1,"mattt416":1,"goromlagche":1,"Segaja":1,"dmpotter44":1,"nruth":1,"jeremyevans":1,"sobrinho":1,"geor-g":1,"likeuwill":1,"motiko":1,"Zeouterlimits":1,"rodolfobandeira":1,"petebytes":1,"pvalena":1,"dorianmariefr":1,"lephyrius":1,"phearle":1,"tquill":1,"terceiro":1,"CarlosCD":1,"kaspatel-mdsol":1,"boutil":1,"mayesgr":1,"miloprice":1,"Earlopain":1,"yskkin":1,"igorkasyanchuk":1,"ayzahamid":1,"kaoru":1,"stefanosc":1},"pull_request_authors":{"flavorjones":49,"dependabot[bot]":22,"JuanitoFatas":6,"m-nakamura145":3,"seyerian":2,"Earlopain":2,"ch4n3-yoon":2,"dogweather":2,"jweir":2,"seanpdoyle":2,"rubyrider":2,"akhilgkrishnan":2,"nacengineer":2,"tongueroo":2,"adrianotadao":1,"hectron":1,"kaspergrubbe":1,"mashedkeyboard":1,"jhottenstein":1,"frederikspang":1,"rodolfobandeira":1,"jiahuang":1,"dylanpinn":1,"joshpencheon":1,"mberrueta":1,"fschwahn":1,"kyoshidajp":1,"inopinatus":1,"voxik":1,"nicolasleger":1,"junaruga":1,"tebs":1,"luke-hill":1,"abhaynikam":1,"goromlagche":1,"jeremywrowe":1,"jacobherrington":1,"dLobatog":1,"gogainda":1,"paul-mesnilgrente":1,"trevorrjohn":1,"rwojnarowski":1,"olleolleolle":1,"orien":1,"jbampton":1,"amatsuda":1,"notnmeyer":1},"host":{"name":"GitHub","url":"https://github.com","kind":"github","last_synced_at":"2026-03-11T00:00:08.908Z","repositories_count":13668727,"issues_count":34675980,"pull_requests_count":113155810,"authors_count":11193605,"icon_url":"https://github.com/github.png","host_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories","owners_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/owners","authors_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors"},"past_year_issue_labels_count":{},"past_year_pull_request_labels_count":{"dependencies":7,"ruby":7},"past_year_issue_author_associations_count":{"MEMBER":1,"NONE":1},"past_year_pull_request_author_associations_count":{"CONTRIBUTOR":7,"MEMBER":4,"NONE":3},"past_year_issue_authors":{"flavorjones":1,"kaoru":1},"past_year_pull_request_authors":{"dependabot[bot]":7,"flavorjones":4,"nacengineer":2,"voxik":1},"maintainers":[{"login":"flavorjones","count":53,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/flavorjones"},{"login":"akhilgkrishnan","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/akhilgkrishnan"},{"login":"amatsuda","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/amatsuda"}],"active_maintainers":[{"login":"flavorjones","count":5,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/flavorjones"}]},"events":{"total":{"ReleaseEvent":2,"DeleteEvent":12,"PullRequestEvent":26,"ForkEvent":8,"IssuesEvent":5,"WatchEvent":20,"IssueCommentEvent":22,"PushEvent":20,"CreateEvent":15},"last_year":{"DeleteEvent":6,"PullRequestEvent":9,"ForkEvent":3,"IssuesEvent":1,"WatchEvent":7,"IssueCommentEvent":8,"PushEvent":7,"CreateEvent":5}},"keywords":[],"dependencies":[{"ecosystem":"rubygems","filepath":"rails-html-sanitizer.gemspec","sha":null,"kind":"manifest","created_at":"2022-07-12T15:04:08.484Z","updated_at":"2022-07-12T15:04:08.484Z","repository_link":"https://github.com/rails/rails-html-sanitizer/blob/main/rails-html-sanitizer.gemspec","dependencies":[{"id":159563375,"package_name":"loofah","ecosystem":"rubygems","requirements":"~\u003e 2.3","direct":true,"kind":"runtime","optional":false},{"id":159563382,"package_name":"bundler","ecosystem":"rubygems","requirements":"\u003e= 1.3","direct":true,"kind":"development","optional":false},{"id":159563385,"package_name":"rake","ecosystem":"rubygems","requirements":"\u003e= 0","direct":true,"kind":"development","optional":false},{"id":159563387,"package_name":"minitest","ecosystem":"rubygems","requirements":"\u003e= 0","direct":true,"kind":"development","optional":false},{"id":159563389,"package_name":"rails-dom-testing","ecosystem":"rubygems","requirements":"\u003e= 0","direct":true,"kind":"development","optional":false}]},{"ecosystem":"actions","filepath":".github/workflows/ci.yml","sha":null,"kind":"manifest","created_at":"2023-01-13T16:10:14.552Z","updated_at":"2023-01-13T16:10:14.552Z","repository_link":"https://github.com/rails/rails-html-sanitizer/blob/main/.github/workflows/ci.yml","dependencies":[{"id":6890126479,"package_name":"actions/checkout","ecosystem":"actions","requirements":"v2","direct":true,"kind":"composite","optional":false},{"id":6890126480,"package_name":"ruby/setup-ruby","ecosystem":"actions","requirements":"v1","direct":true,"kind":"composite","optional":false}]},{"ecosystem":"rubygems","filepath":"Gemfile","sha":null,"kind":"manifest","created_at":"2023-12-02T02:14:53.779Z","updated_at":"2023-12-02T02:14:53.779Z","repository_link":"https://github.com/rails/rails-html-sanitizer/blob/main/Gemfile","dependencies":[{"id":14850140019,"package_name":"rake","ecosystem":"rubygems","requirements":"\u003e= 0","direct":true,"kind":"runtime","optional":false},{"id":14850140020,"package_name":"minitest","ecosystem":"rubygems","requirements":"\u003e= 0","direct":true,"kind":"runtime","optional":false},{"id":14850140021,"package_name":"rubocop","ecosystem":"rubygems","requirements":"\u003e= 1.25.1","direct":true,"kind":"development","optional":false},{"id":14850140022,"package_name":"rubocop-minitest","ecosystem":"rubygems","requirements":"\u003e= 0","direct":true,"kind":"development","optional":false},{"id":14850140023,"package_name":"rubocop-packaging","ecosystem":"rubygems","requirements":"\u003e= 0","direct":true,"kind":"development","optional":false},{"id":14850140024,"package_name":"rubocop-performance","ecosystem":"rubygems","requirements":"\u003e= 0","direct":true,"kind":"development","optional":false},{"id":14850140025,"package_name":"rubocop-rails","ecosystem":"rubygems","requirements":"\u003e= 0","direct":true,"kind":"development","optional":false}]}],"score":31.157234100802256,"created_at":"2024-12-15T21:38:07.108Z","updated_at":"2026-04-30T16:30:33.128Z","avatar_url":"https://github.com/rails.png","language":"Ruby","monthly_downloads":0,"readme":"# Rails HTML Sanitizers\n\nThis gem is responsible for sanitizing HTML fragments in Rails applications. Specifically, this is the set of sanitizers used to implement the Action View `SanitizerHelper` methods `sanitize`, `sanitize_css`, `strip_tags` and `strip_links`.\n\nRails HTML Sanitizer is only intended to be used with Rails applications. If you need similar functionality but aren't using Rails, consider using the underlying sanitization library [Loofah](https://github.com/flavorjones/loofah) directly.\n\n\n## Usage\n\n### Sanitizers\n\nAll sanitizers respond to `sanitize`, and are available in variants that use either HTML4 or HTML5 parsing, under the `Rails::HTML4` and `Rails::HTML5` namespaces, respectively.\n\nNOTE: The HTML5 sanitizers are not supported on JRuby. Users may programmatically check for support by calling `Rails::HTML::Sanitizer.html5_support?`.\n\n\n#### FullSanitizer\n\n```ruby\nfull_sanitizer = Rails::HTML5::FullSanitizer.new\nfull_sanitizer.sanitize(\"\u003cb\u003eBold\u003c/b\u003e no more!  \u003ca href='more.html'\u003eSee more here\u003c/a\u003e...\")\n# =\u003e Bold no more!  See more here...\n```\n\nor, if you insist on parsing the content as HTML4:\n\n```ruby\nfull_sanitizer = Rails::HTML4::FullSanitizer.new\nfull_sanitizer.sanitize(\"\u003cb\u003eBold\u003c/b\u003e no more!  \u003ca href='more.html'\u003eSee more here\u003c/a\u003e...\")\n# =\u003e Bold no more!  See more here...\n```\n\n#### LinkSanitizer\n\n```ruby\nlink_sanitizer = Rails::HTML5::LinkSanitizer.new\nlink_sanitizer.sanitize('\u003ca href=\"example.com\"\u003eOnly the link text will be kept.\u003c/a\u003e')\n# =\u003e Only the link text will be kept.\n```\n\nor, if you insist on parsing the content as HTML4:\n\n```ruby\nlink_sanitizer = Rails::HTML4::LinkSanitizer.new\nlink_sanitizer.sanitize('\u003ca href=\"example.com\"\u003eOnly the link text will be kept.\u003c/a\u003e')\n# =\u003e Only the link text will be kept.\n```\n\n\n#### SafeListSanitizer\n\nThis sanitizer is also available as an HTML4 variant, but for simplicity we'll document only the HTML5 variant below.\n\n```ruby\nsafe_list_sanitizer = Rails::HTML5::SafeListSanitizer.new\n\n# sanitize via an extensive safe list of allowed elements\nsafe_list_sanitizer.sanitize(@article.body)\n\n# sanitize only the supplied tags and attributes\nsafe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))\n\n# sanitize via a custom scrubber\nsafe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)\n\n# prune nodes from the tree instead of stripping tags and leaving inner content\nsafe_list_sanitizer = Rails::HTML5::SafeListSanitizer.new(prune: true)\n\n# the sanitizer can also sanitize css\nsafe_list_sanitizer.sanitize_css('background-color: #000;')\n```\n\n### Scrubbers\n\nScrubbers are objects responsible for removing nodes or attributes you don't want in your HTML document.\n\nThis gem includes two scrubbers `Rails::HTML::PermitScrubber` and `Rails::HTML::TargetScrubber`.\n\n#### `Rails::HTML::PermitScrubber`\n\nThis scrubber allows you to permit only the tags and attributes you want.\n\n```ruby\nscrubber = Rails::HTML::PermitScrubber.new\nscrubber.tags = ['a']\n\nhtml_fragment = Loofah.fragment('\u003ca\u003e\u003cimg/ \u003e\u003c/a\u003e')\nhtml_fragment.scrub!(scrubber)\nhtml_fragment.to_s # =\u003e \"\u003ca\u003e\u003c/a\u003e\"\n```\n\nBy default, inner content is left, but it can be removed as well.\n\n```ruby\nscrubber = Rails::HTML::PermitScrubber.new\nscrubber.tags = ['a']\n\nhtml_fragment = Loofah.fragment('\u003ca\u003e\u003cspan\u003etext\u003c/span\u003e\u003c/a\u003e')\nhtml_fragment.scrub!(scrubber)\nhtml_fragment.to_s # =\u003e \"\u003ca\u003etext\u003c/a\u003e\"\n\nscrubber = Rails::HTML::PermitScrubber.new(prune: true)\nscrubber.tags = ['a']\n\nhtml_fragment = Loofah.fragment('\u003ca\u003e\u003cspan\u003etext\u003c/span\u003e\u003c/a\u003e')\nhtml_fragment.scrub!(scrubber)\nhtml_fragment.to_s # =\u003e \"\u003ca\u003e\u003c/a\u003e\"\n```\n\n#### `Rails::HTML::TargetScrubber`\n\nWhere `PermitScrubber` picks out tags and attributes to permit in sanitization,\n`Rails::HTML::TargetScrubber` targets them for removal. See https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb for the tag list.\n\n**Note:** by default, it will scrub anything that is not part of the permitted tags from\nloofah `HTML5::Scrub.allowed_element?`.\n\n```ruby\nscrubber = Rails::HTML::TargetScrubber.new\nscrubber.tags = ['img']\n\nhtml_fragment = Loofah.fragment('\u003ca\u003e\u003cimg/ \u003e\u003c/a\u003e')\nhtml_fragment.scrub!(scrubber)\nhtml_fragment.to_s # =\u003e \"\u003ca\u003e\u003c/a\u003e\"\n```\n\nSimilarly to `PermitScrubber`, nodes can be fully pruned.\n\n```ruby\nscrubber = Rails::HTML::TargetScrubber.new\nscrubber.tags = ['span']\n\nhtml_fragment = Loofah.fragment('\u003ca\u003e\u003cspan\u003etext\u003c/span\u003e\u003c/a\u003e')\nhtml_fragment.scrub!(scrubber)\nhtml_fragment.to_s # =\u003e \"\u003ca\u003etext\u003c/a\u003e\"\n\nscrubber = Rails::HTML::TargetScrubber.new(prune: true)\nscrubber.tags = ['span']\n\nhtml_fragment = Loofah.fragment('\u003ca\u003e\u003cspan\u003etext\u003c/span\u003e\u003c/a\u003e')\nhtml_fragment.scrub!(scrubber)\nhtml_fragment.to_s # =\u003e \"\u003ca\u003e\u003c/a\u003e\"\n```\n\n#### Custom Scrubbers\n\nYou can also create custom scrubbers in your application if you want to.\n\n```ruby\nclass CommentScrubber \u003c Rails::HTML::PermitScrubber\n  def initialize\n    super\n    self.tags = %w( form script comment blockquote )\n    self.attributes = %w( style )\n  end\n\n  def skip_node?(node)\n    node.text?\n  end\nend\n```\n\nSee `Rails::HTML::PermitScrubber` documentation to learn more about which methods can be overridden.\n\n#### Custom Scrubber in a Rails app\n\nUsing the `CommentScrubber` from above, you can use this in a Rails view like so:\n\n```ruby\n\u003c%= sanitize @comment, scrubber: CommentScrubber.new %\u003e\n```\n\n### A note on HTML entities\n\n__Rails HTML sanitizers are intended to be used by the view layer, at page-render time. They are *not* intended to sanitize persisted strings that will be sanitized *again* at page-render time.__\n\nProper HTML sanitization will replace some characters with HTML entities. For example, text containing a `\u003c` character will be updated to contain `\u0026lt;` to ensure that the markup is well-formed.\n\nThis is important to keep in mind because __HTML entities will render improperly if they are sanitized twice.__\n\n\n#### A concrete example showing the problem that can arise\n\nImagine the user is asked to enter their employer's name, which will appear on their public profile page. Then imagine they enter `JPMorgan Chase \u0026 Co.`.\n\nIf you sanitize this before persisting it in the database, the stored string will be `JPMorgan Chase \u0026amp; Co.`\n\nWhen the page is rendered, if this string is sanitized a second time by the view layer, the HTML will contain `JPMorgan Chase \u0026amp;amp; Co.` which will render as \"JPMorgan Chase \u0026amp;amp; Co.\".\n\nAnother problem that can arise is rendering the sanitized string in a non-HTML context (for example, if it ends up being part of an SMS message). In this case, it may contain inappropriate HTML entities.\n\n\n#### Suggested alternatives\n\nYou might simply choose to persist the untrusted string as-is (the raw input), and then ensure that the string will be properly sanitized by the view layer.\n\nThat raw string, if rendered in an non-HTML context (like SMS), must also be sanitized by a method appropriate for that context. You may wish to look into using [Loofah](https://github.com/flavorjones/loofah) or [Sanitize](https://github.com/rgrove/sanitize) to customize how this sanitization works, including omitting HTML entities in the final string.\n\nIf you really want to sanitize the string that's stored in your database, you may wish to look into  [Loofah::ActiveRecord](https://github.com/flavorjones/loofah-activerecord) rather than use the Rails HTML sanitizers.\n\n\n### A note on module names\n\nIn versions \u003c 1.6, the only module defined by this library was `Rails::Html`. Starting in 1.6, we define three additional modules:\n\n- `Rails::HTML` for general functionality (replacing `Rails::Html`)\n- `Rails::HTML4` containing sanitizers that parse content as HTML4\n- `Rails::HTML5` containing sanitizers that parse content as HTML5 (if supported)\n\nThe following aliases are maintained for backwards compatibility:\n\n- `Rails::Html` points to `Rails::HTML`\n- `Rails::HTML::FullSanitizer` points to `Rails::HTML4::FullSanitizer`\n- `Rails::HTML::LinkSanitizer` points to `Rails::HTML4::LinkSanitizer`\n- `Rails::HTML::SafeListSanitizer` points to `Rails::HTML4::SafeListSanitizer`\n\n\n## Installation\n\nAdd this line to your application's Gemfile:\n\n    gem 'rails-html-sanitizer'\n\nAnd then execute:\n\n    $ bundle\n\nOr install it yourself as:\n\n    $ gem install rails-html-sanitizer\n\n\n## Support matrix\n\n| branch | ruby support | actively maintained | security support                       |\n|--------|--------------|---------------------|----------------------------------------|\n| 1.6.x  | \u003e= 2.7       | yes                 | yes                                    |\n| 1.5.x  | \u003e= 2.5       | no                  | while Rails 6.1 is in security support |\n| 1.4.x  | \u003e= 1.8.7     | no                  | no                                     |\n\n\n## Read more\n\nLoofah is what underlies the sanitizers and scrubbers of rails-html-sanitizer.\n\n- [Loofah and Loofah Scrubbers](https://github.com/flavorjones/loofah)\n\nThe `node` argument passed to some methods in a custom scrubber is an instance of `Nokogiri::XML::Node`.\n\n- [`Nokogiri::XML::Node`](https://nokogiri.org/rdoc/Nokogiri/XML/Node.html)\n- [Nokogiri](http://nokogiri.org)\n\n\n## Contributing to Rails HTML Sanitizers\n\nRails HTML Sanitizers is work of many contributors. You're encouraged to submit pull requests, propose features and discuss issues.\n\nSee [CONTRIBUTING](CONTRIBUTING.md).\n\n### Security reports\n\nTrying to report a possible security vulnerability in this project? Please check out the [Rails project's security policy](https://rubyonrails.org/security) for instructions.\n\n\n## License\n\nRails HTML Sanitizers is released under the [MIT License](MIT-LICENSE).\n","funding_links":[],"readme_doi_urls":[],"works":{},"citation_counts":{},"total_citations":0,"keywords_from_contributors":["activerecord","mvc","rubygems","activejob","rack","rspec","crash-reporting","feature-flag","mime-types","devise"],"project_url":"https://ruby.ecosyste.ms/api/v1/projects/143","html_url":"https://ruby.ecosyste.ms/projects/143"}