diff --git a/gems/prosemirror_to_html/CVE-2025-64501.yml b/gems/prosemirror_to_html/CVE-2025-64501.yml index a951cbf989..e0e3e270be 100644 --- a/gems/prosemirror_to_html/CVE-2025-64501.yml +++ b/gems/prosemirror_to_html/CVE-2025-64501.yml @@ -59,9 +59,9 @@ description: | Content-Security-Policy: default-src 'self'; script-src 'self' ``` - 3. **Input validation**: If possible, validate and sanitize ProseMirror - documents before conversion to prevent malicious content from - entering the system. + 3. **Input validation**: If possible, validate and sanitize + ProseMirror documents before conversion to prevent malicious + content from entering the system. ### References @@ -75,5 +75,6 @@ related: url: - https://nvd.nist.gov/vuln/detail/CVE-2025-64501 - https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx + - https://github.com/etaminstudio/prosemirror_to_html/releases/tag/v0.2.1 - https://github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8 - https://github.com/advisories/GHSA-52c5-vh7f-26fx diff --git a/gems/prosemirror_to_html/GHSA-52c5-vh7f-26fx.yml b/gems/prosemirror_to_html/GHSA-52c5-vh7f-26fx.yml deleted file mode 100644 index 674113bdbe..0000000000 --- a/gems/prosemirror_to_html/GHSA-52c5-vh7f-26fx.yml +++ /dev/null @@ -1,78 +0,0 @@ ---- -gem: prosemirror_to_html -ghsa: 52c5-vh7f-26fx -url: https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx -title: Cross-Site Scripting (XSS) vulnerability through unescaped - HTML attribute values -date: 2025-11-06 -description: | - ### Impact - - The prosemirror_to_html gem is vulnerable to Cross-Site Scripting - (XSS) attacks through malicious HTML attribute values. While tag - content is properly escaped, attribute values are not, allowing - attackers to inject arbitrary JavaScript code. - - **Who is impacted:** - - - Any application using prosemirror_to_html to convert ProseMirror - documents to HTML - - Applications that process user-generated ProseMirror content are - at highest risk - - End users viewing the rendered HTML output could have malicious - JavaScript executed in their browsers - - **Attack vectors include:** - - - `href` attributes with `javascript:` protocol: - `` - - Event handlers: `
` - - `onerror` attributes on images: `` - - Other HTML attributes that can execute JavaScript - - ### Patches - - A fix is currently in development. Users should upgrade to version - **0.2.1** or later once released. - - The patch escapes all HTML attribute values using `CGI.escapeHTML` - to prevent injection attacks. - - ### Workarounds - - Until a patched version is available, users can implement one or - more of these mitigations: - - 1. **Sanitize output**: Pass the HTML output through a sanitization - library like [Sanitize](https://github.com/rgrove/sanitize) or - [Loofah](https://github.com/flavorjones/loofah): - - ```ruby - html = ProsemirrorToHtml.render(document) - safe_html = Sanitize.fragment(html, Sanitize::Config::RELAXED) - ``` - - 2. **Implement Content Security Policy (CSP)**: Add strict CSP - headers to prevent inline JavaScript execution: - ``` - Content-Security-Policy: default-src 'self'; script-src 'self' - ``` - - 3. **Input validation**: If possible, validate and sanitize - ProseMirror documents before conversion to prevent malicious - content from entering the system. - - ### References - - - Vulnerable code: https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249 - - [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) - - [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html) -cvss_v3: 7.6 -patched_versions: - - ">= 0.2.1" -related: - url: - - https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx - - https://github.com/etaminstudio/prosemirror_to_html/releases/tag/v0.2.1 - - https://github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8 - - https://github.com/advisories/GHSA-52c5-vh7f-26fx