PT-2025-47234 — XSS em Rubygems Prosemirror To Html

PT-2025-47234 · Rubygems · Prosemirror To Html

Publicado

2025-11-07

Atualizado

2025-11-07

CVSS v3.1

7.6

Alta

Vetor

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-52c5-vh7f-26fx. This link is maintained to preserve external references.

Original Description

Impact

The prosemirror to html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code.

Who is impacted:

Any application using prosemirror to html to convert ProseMirror documents to HTML
Applications that process user-generated ProseMirror content are at highest risk
End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers

Attack vectors include:

href attributes with javascript: protocol: <a href="javascript:alert(document.cookie)">
Event handlers: <div onclick="maliciousCode()">
onerror attributes on images: <img src=x onerror="alert('XSS')">
Other HTML attributes that can execute JavaScript

Patches

A fix is currently in development. Users should upgrade to version 0.2.1 or later once released.

The patch escapes all HTML attribute values using CGI.escapeHTML to prevent injection attacks.

Workarounds

Until a patched version is available, users can implement one or more of these mitigations:

Sanitize output: Pass the HTML output through a sanitization library like Sanitize or Loofah:

ruby

  html = ProsemirrorToHtml.render(document)
  safe html = Sanitize.fragment(html, Sanitize::Config::RELAXED)

Implement Content Security Policy (CSP): Add strict CSP headers to prevent inline JavaScript execution:

  Content-Security-Policy: default-src 'self'; script-src 'self'

Input validation: If possible, validate and sanitize ProseMirror documents before conversion to prevent malicious content from entering the system.

References

Vulnerable code: https://github.com/etaminstudio/prosemirror to html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror to html.rb#L249
[OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross Site Scripting Prevention Cheat Sheet.html)

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

GHSA-VFPF-XMWH-8M65

Produtos afetados

Prosemirror To Html