CVE-2024-53986

Name of the Vulnerable Software and Affected Versions: rails-html-sanitizer version 1.6.0

Description: A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags where the "math" and "style" elements are both explicitly allowed. This issue is relevant when used with Rails >= 7.1.0. The default configuration is to disallow these elements, and code is only impacted if allowed tags are being overridden.

Recommendations: For rails-html-sanitizer version 1.6.0, upgrade to version 1.6.1 to fix the vulnerability. As a temporary workaround, consider removing "math" or "style" from the overridden allowed tags, or downgrade sanitization to HTML4 by configuring config.action view.sanitizer vendor and config.action text.sanitizer vendor accordingly.