GHSA-vfpf-xmwh-8m65: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values
The prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code.
Who is impacted:
- Any application using prosemirror_to_html to convert ProseMirror documents to HTML
- Applications that process user-generated ProseMirror content are at highest risk
- End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers
Attack vectors include:
hrefattributes withjavascript:protocol:<a href="javascript:alert(document.cookie)">- Event handlers:
<div onclick="maliciousCode()"> onerrorattributes on images:<img src=x onerror="alert('XSS')">- Other HTML attributes that can execute JavaScript
References
- github.com/advisories/GHSA-vfpf-xmwh-8m65
- github.com/etaminstudio/prosemirror_to_html
- github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb
- github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8
- github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx
- github.com/rubysec/ruby-advisory-db/blob/master/gems/prosemirror_to_html/GHSA-52c5-vh7f-26fx.yml
Code Behaviors & Features
Detect and mitigate GHSA-vfpf-xmwh-8m65 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →