|
| 1 | +--- |
| 2 | +layout: advisory |
| 3 | +title: 'GHSA-52c5-vh7f-26fx (prosemirror_to_html): Cross-Site Scripting (XSS) vulnerability |
| 4 | + through unescaped HTML attribute values' |
| 5 | +comments: false |
| 6 | +categories: |
| 7 | +- prosemirror_to_html |
| 8 | +advisory: |
| 9 | + gem: prosemirror_to_html |
| 10 | + ghsa: 52c5-vh7f-26fx |
| 11 | + url: https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx |
| 12 | + title: Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute |
| 13 | + values |
| 14 | + date: 2025-11-06 |
| 15 | + description: | |
| 16 | + ### Impact |
| 17 | +
|
| 18 | + The prosemirror_to_html gem is vulnerable to Cross-Site Scripting |
| 19 | + (XSS) attacks through malicious HTML attribute values. While tag |
| 20 | + content is properly escaped, attribute values are not, allowing |
| 21 | + attackers to inject arbitrary JavaScript code. |
| 22 | +
|
| 23 | + **Who is impacted:** |
| 24 | +
|
| 25 | + - Any application using prosemirror_to_html to convert ProseMirror |
| 26 | + documents to HTML |
| 27 | + - Applications that process user-generated ProseMirror content are |
| 28 | + at highest risk |
| 29 | + - End users viewing the rendered HTML output could have malicious |
| 30 | + JavaScript executed in their browsers |
| 31 | +
|
| 32 | + **Attack vectors include:** |
| 33 | +
|
| 34 | + - `href` attributes with `javascript:` protocol: |
| 35 | + `<a href="javascript:alert(document.cookie)">` |
| 36 | + - Event handlers: `<div onclick="maliciousCode()">` |
| 37 | + - `onerror` attributes on images: `<img src=x onerror="alert('XSS')">` |
| 38 | + - Other HTML attributes that can execute JavaScript |
| 39 | +
|
| 40 | + ### Patches |
| 41 | +
|
| 42 | + A fix is currently in development. Users should upgrade to version |
| 43 | + **0.2.1** or later once released. |
| 44 | +
|
| 45 | + The patch escapes all HTML attribute values using `CGI.escapeHTML` |
| 46 | + to prevent injection attacks. |
| 47 | +
|
| 48 | + ### Workarounds |
| 49 | +
|
| 50 | + Until a patched version is available, users can implement one or |
| 51 | + more of these mitigations: |
| 52 | +
|
| 53 | + 1. **Sanitize output**: Pass the HTML output through a sanitization |
| 54 | + library like [Sanitize](https://github.com/rgrove/sanitize) or |
| 55 | + [Loofah](https://github.com/flavorjones/loofah): |
| 56 | +
|
| 57 | + ```ruby |
| 58 | + html = ProsemirrorToHtml.render(document) |
| 59 | + safe_html = Sanitize.fragment(html, Sanitize::Config::RELAXED) |
| 60 | + ``` |
| 61 | +
|
| 62 | + 2. **Implement Content Security Policy (CSP)**: Add strict CSP |
| 63 | + headers to prevent inline JavaScript execution: |
| 64 | + ``` |
| 65 | + Content-Security-Policy: default-src 'self'; script-src 'self' |
| 66 | + ``` |
| 67 | +
|
| 68 | + 3. **Input validation**: If possible, validate and sanitize |
| 69 | + ProseMirror documents before conversion to prevent malicious |
| 70 | + content from entering the system. |
| 71 | +
|
| 72 | + ### References |
| 73 | +
|
| 74 | + - Vulnerable code: https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249 |
| 75 | + - [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) |
| 76 | + - [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html) |
| 77 | + cvss_v3: 7.6 |
| 78 | + patched_versions: |
| 79 | + - ">= 0.2.1" |
| 80 | + related: |
| 81 | + url: |
| 82 | + - https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx |
| 83 | + - https://github.com/etaminstudio/prosemirror_to_html/releases/tag/v0.2.1 |
| 84 | + - https://github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8 |
| 85 | + - https://github.com/advisories/GHSA-52c5-vh7f-26fx |
| 86 | +--- |
0 commit comments