Updated advisory posts against rubysec/ruby-advisory-db@f29132e

jasnow · RubySec CI · commit ed1b95dfeb45 · 2025-11-10T21:59:55.000Z
diff --git a/advisories/_posts/2025-11-07-GHSA-vfpf-xmwh-8m65.md b/advisories/_posts/2025-11-07-GHSA-vfpf-xmwh-8m65.md
@@ -0,0 +1,87 @@
+---
+layout: advisory
+title: 'GHSA-vfpf-xmwh-8m65 (prosemirror_to_html): ProsemirrorToHtml has a Cross-Site
+  Scripting (XSS) vulnerability through unescaped HTML attribute values'
+comments: false
+categories:
+- prosemirror_to_html
+advisory:
+  gem: prosemirror_to_html
+  ghsa: vfpf-xmwh-8m65
+  url: https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx
+  title: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through
+    unescaped HTML attribute values
+  date: 2025-11-07
+  description: |
+    ### Impact
+
+    The prosemirror_to_html gem is vulnerable to Cross-Site Scripting
+    (XSS) attacks through malicious HTML attribute values. While tag
+    content is properly escaped, attribute values are not, allowing
+    attackers to inject arbitrary JavaScript code.
+
+    **Who is impacted:**
+
+    - Any application using prosemirror_to_html to convert ProseMirror
+      documents to HTML
+    - Applications that process user-generated ProseMirror content are
+      at highest risk
+    - End users viewing the rendered HTML output could have malicious
+     JavaScript executed in their browsers
+
+    **Attack vectors include:**
+
+    - `href` attributes with `javascript:` protocol:
+      `<a href="javascript:alert(document.cookie)">`
+    - Event handlers: `<div onclick="maliciousCode()">`
+    - `onerror` attributes on images: `<img src=x onerror="alert('XSS')">`
+    - Other HTML attributes that can execute JavaScript
+
+    ### Patches
+
+    A fix is currently in development. Users should upgrade to version
+    **0.2.1** or later once released.
+
+    The patch escapes all HTML attribute values using `CGI.escapeHTML`
+    to prevent injection attacks.
+
+    ### Workarounds
+
+    Until a patched version is available, users can implement one or
+    more of these mitigations:
+
+    1. **Sanitize output**: Pass the HTML output through a sanitization
+       library like [Sanitize](https://github.com/rgrove/sanitize) or
+       [Loofah](https://github.com/flavorjones/loofah):
+
+    ```ruby
+       html = ProsemirrorToHtml.render(document)
+       safe_html = Sanitize.fragment(html, Sanitize::Config::RELAXED)
+    ```
+
+    2. **Implement Content Security Policy (CSP)**: Add strict CSP
+       headers to prevent inline JavaScript execution:
+    ```
+       Content-Security-Policy: default-src 'self'; script-src 'self'
+    ```
+
+    3. **Input validation**: If possible, validate and sanitize
+       ProseMirror documents before conversion to prevent malicious
+       content from entering the system.
+
+    ### References
+
+    - Vulnerable code: https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249
+    - [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
+  cvss_v3: 7.6
+  patched_versions:
+  - ">= 0.2.1"
+  related:
+    url:
+    - https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx
+    - https://github.com/etaminstudio/prosemirror_to_html/releases/tag/v0.2.1
+    - https://github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8
+    - https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249
+    - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/prosemirror_to_html/GHSA-52c5-vh7f-26fx.yml
+    - https://github.com/advisories/GHSA-vfpf-xmwh-8m65
+---
