Dominic Breuker

**Name of the Vulnerable Software and Affected Versions** rails-html-sanitizer versions prior to 1.4.4 **Description** The issue is related to the sanitization of HTML fragments in Rails applications. Prior to version 1.4.4, there is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer due to an incomplete fix. This vulnerability may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements. Code is only impacted if allowed tags are being overridden. **Recommendations** For versions prior to 1.4.4, upgrade to version 1.4.4 or use the workaround: Remove either "select" or "style" from the overridden allowed tags. As a temporary workaround, consider removing either the "select" or "style" element from the overridden allowed tags until a patch is available.