The vulnerability, which could also lead to other browser-side exploits, has now been fixed
UPDATED A cross-site scripting (XSS) security flaw has been patched in Sanitize, the allowlist-based Ruby Gem for HTML and CSS sanitization.
The high severity vulnerability (CVE-2020-4054), which arises when content is incorrectly sanitized, also potentially leaves users open to “other browser-side attacks like data exfiltration”, Michał Bentkowski, who discovered the flaw, told The Daily Swig.
Sanitize is based on Google’s Gumbo HTML5 parser and the Crass CSS parser, which respectively replicate the HTML and CSS parsing used by modern browsers. The Gem has more than 23 million downloads.
“When HTML is sanitized using Sanitize’s ‘relaxed’ config or a custom config that allows certain elements, some content in a <math> or <svg> element may not be sanitized correctly even if math and svg are not in the allowlist,” he explained.
“Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize, potentially resulting in XSS or other undesired behavior when that HTML is rendered in a browser.”
Anyone who uses Sanitize’s relaxed config or a custom config that allows one or more of these HTML elements is potentially vulnerable: iframe, math, noembed, noframes, noscript, plaintext, script, style, svg, or xmp.
Grove examined the flaw in more detail in a separate proof of concept on GitHub.
Michal Bentkowski has also published a write-up detailing how he bypassed the Ruby Sanitize library in the relaxed config.
Security update and workaround
The XSS bug impacts Sanitize versions 3.0.0 and above, up to version 5.2.1, which fixed the flaw and was released on June 16.
“I reported the bug to the maintainer the day before he released the security advisory,” said Bentkowski, who is chief security researcher at security testing and training firm Securitum. “His response time is thus admirable!”
Groves offered a workaround to users who are unable to update their application: “Override the default value of Sanitize’s :remove_contents config option with a value, which ensures that the contents of math and svg elements (among others) are removed entirely when those elements are not in the allowlist,” he said.
Poland-based Bentkowski has had a productive week, having also revealed how shortcomings in the copy and paste functionality used by web apps can be abused to execute XSS attacks and data exfiltration, as reported by The Daily Swig.
This article was updated on July 23 to reference a write-up by Michal Bentkowski