PT-2025-47871 — XSS in Rubygems Prosemirror To Html

PT-2025-47871 · Rubygems · Prosemirror To Html

Published

2025-11-13

Updated

2025-11-13

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-52c5-vh7f-26fx. This link is maintained to preserve external references.

Original Description

Impact

The prosemirror to html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code.

Who is impacted:

Any application using prosemirror to html to convert ProseMirror documents to HTML
Applications that process user-generated ProseMirror content are at highest risk
End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers

Attack vectors include:

href attributes with javascript: protocol: <a href="javascript:alert(document.cookie)">
Event handlers: <div onclick="maliciousCode()">
onerror attributes on images: <img src=x onerror="alert('XSS')">
Other HTML attributes that can execute JavaScript

Patches

A fix is currently in development. Users should upgrade to version 0.2.1 or later once released. The patch escapes all HTML attribute values using CGI.escapeHTML to prevent injection attacks.

Workarounds

Until a patched version is available, users can implement one or more of these mitigations:

Sanitize output: Pass the HTML output through a sanitization library like Sanitize or Loofah:

ruby

  html = ProsemirrorToHtml.render(document)
  safe html = Sanitize.fragment(html, Sanitize::Config::RELAXED)

Implement Content Security Policy (CSP): Add strict CSP headers to prevent inline JavaScript execution:

  Content-Security-Policy: default-src 'self'; script-src 'self'

Input validation: If possible, validate and sanitize ProseMirror documents before conversion to prevent malicious content from entering the system.

References

Vulnerable code: https://github.com/etaminstudio/prosemirror to html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror to html.rb#L249
[OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross Site Scripting Prevention Cheat Sheet.html)

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

GHSA-4249-GJR8-JPQ3

Affected Products

Prosemirror To Html