ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values
The prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code. Who is impacted: Any application using prosemirror_to_html to convert ProseMirror documents to HTML Applications that process user-generated ProseMirror content are at highest risk End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers …