GHSA-52c5-vh7f-26fx: Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values

November 6, 2025

The prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code.

Who is impacted:

Any application using prosemirror_to_html to convert ProseMirror documents to HTML
Applications that process user-generated ProseMirror content are at highest risk
End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers

Attack vectors include:

href attributes with javascript: protocol: <a href="javascript:alert(document.cookie)">
Event handlers: <div onclick="maliciousCode()">
onerror attributes on images: <img src=x onerror="alert('XSS')">
Other HTML attributes that can execute JavaScript

References

Code Behaviors & Features

Detect and mitigate GHSA-52c5-vh7f-26fx with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →