CVE-2024-53988

Name of the Vulnerable Software and Affected Versions: rails-html-sanitizer version 1.6.0

Description: There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer when used with Rails >= 7.1.0. This issue may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags where the "math", "mtext", "table", and "style" elements are allowed and either "mglyph" or "malignmark" are allowed.

Recommendations: For rails-html-sanitizer version 1.6.0, upgrade to version 1.6.1 to fix the vulnerability. Alternatively, remove "mglyph" and "malignmark" from the overridden allowed tags or downgrade sanitization to HTML4.