diff --git a/gems/prosemirror_to_html/GHSA-vfpf-xmwh-8m65.yml b/gems/prosemirror_to_html/GHSA-vfpf-xmwh-8m65.yml new file mode 100644 index 0000000000..0df4549370 --- /dev/null +++ b/gems/prosemirror_to_html/GHSA-vfpf-xmwh-8m65.yml @@ -0,0 +1,79 @@ +--- +gem: prosemirror_to_html +ghsa: vfpf-xmwh-8m65 +url: https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx +title: ProsemirrorToHtml has a Cross-Site Scripting (XSS) + vulnerability through unescaped HTML attribute values +date: 2025-11-07 +description: | + ### Impact + + The prosemirror_to_html gem is vulnerable to Cross-Site Scripting + (XSS) attacks through malicious HTML attribute values. While tag + content is properly escaped, attribute values are not, allowing + attackers to inject arbitrary JavaScript code. + + **Who is impacted:** + + - Any application using prosemirror_to_html to convert ProseMirror + documents to HTML + - Applications that process user-generated ProseMirror content are + at highest risk + - End users viewing the rendered HTML output could have malicious + JavaScript executed in their browsers + + **Attack vectors include:** + + - `href` attributes with `javascript:` protocol: + `` + - Event handlers: `
` + - `onerror` attributes on images: `` + - Other HTML attributes that can execute JavaScript + + ### Patches + + A fix is currently in development. Users should upgrade to version + **0.2.1** or later once released. + + The patch escapes all HTML attribute values using `CGI.escapeHTML` + to prevent injection attacks. + + ### Workarounds + + Until a patched version is available, users can implement one or + more of these mitigations: + + 1. **Sanitize output**: Pass the HTML output through a sanitization + library like [Sanitize](https://github.com/rgrove/sanitize) or + [Loofah](https://github.com/flavorjones/loofah): + + ```ruby + html = ProsemirrorToHtml.render(document) + safe_html = Sanitize.fragment(html, Sanitize::Config::RELAXED) + ``` + + 2. **Implement Content Security Policy (CSP)**: Add strict CSP + headers to prevent inline JavaScript execution: + ``` + Content-Security-Policy: default-src 'self'; script-src 'self' + ``` + + 3. **Input validation**: If possible, validate and sanitize + ProseMirror documents before conversion to prevent malicious + content from entering the system. + + ### References + + - Vulnerable code: https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249 + - [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) +cvss_v3: 7.6 +patched_versions: + - ">= 0.2.1" +related: + url: + - https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx + - https://github.com/etaminstudio/prosemirror_to_html/releases/tag/v0.2.1 + - https://github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8 + - https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249 + - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/prosemirror_to_html/GHSA-52c5-vh7f-26fx.yml + - https://github.com/advisories/GHSA-vfpf-xmwh-8m65