CVE-2020-4054.yml

---
gem: sanitize
cve: 2020-4054
ghsa: p4x4-rw2p-8j8m
url: https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m
date: 2020-06-16
title: Cross-site scripting vulnerability via `<math>` or `<svg>` element in Sanitize
description: |
  When HTML is sanitized using Sanitize's "relaxed" config or a custom config that allows certain
  elements, some content in a `<math>` or `<svg>` element may not be sanitized correctly even if
  `math` and `svg` are not in the allowlist.

  You are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom
  config that allows one or more of the following HTML elements:

  - `iframe`
  - `math`
  - `noembed`
  - `noframes`
  - `noscript`
  - `plaintext`
  - `script`
  - `style`
  - `svg`
  - `xmp`

  ### Impact

  Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize,
  potentially resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is
  rendered in a browser.

  ### Releases

  This problem has been fixed in Sanitize 5.2.1.

  ### Workarounds

  If upgrading is not possible, a workaround is to override the default value of Sanitize's
  `:remove_contents` config option with the following value, which ensures that the contents of
  `math` and `svg` elements (among others) are removed entirely when those elements are not in the
  allowlist:

  ```ruby
  %w[iframe math noembed noframes noscript plaintext script style svg xmp]
  ```

  For example, if you currently use Sanitize's relaxed config, you can create a custom config
  object that overrides the default value of `:remove_contents` like this:

  ```ruby
  custom_config = Sanitize::Config.merge(
    Sanitize::Config::RELAXED,
    :remove_contents => %w[iframe math noembed noframes noscript plaintext script style svg xmp]
  )
  ```

  You would then pass this custom config to Sanitize when sanitizing HTML.
cvss_v3: 7.3
patched_versions:
  - ">= 5.2.1"

unaffected_versions:
  - "< 3.0.0"