CVE-2024-53985

Name of the Vulnerable Software and Affected Versions: rails-html-sanitizer version 1.6.0

Description: The issue is related to a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer when used with Rails >= 7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8. This vulnerability may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags with both "math" and "style" elements or both "svg" and "style" elements.

Recommendations: For rails-html-sanitizer version 1.6.0, upgrade to version 1.6.1 to fix the vulnerability. As a temporary workaround, consider removing "style" from the overridden allowed tags, or remove "math" and "svg" from the overridden allowed tags, or downgrade sanitization to HTML4. Alternatively, independently upgrade Nokogiri to v1.15.7 or >= 1.16.8.