A medium severity vulnerability has been identified and patched in Loofah, which is a library used by `rails-html-sanitizer`. This issue has been assigned CVE-2018-8048.
The public notice can be found here:
To save you a click, I've reproduced the contents of the initial announcement here.
# CVE-2018-8048 - Loofah XSS Vulnerability
This issue has been created for public disclosure of an XSS / code injection vulnerability that was responsibly reported by the Shopify Application Security Team.
Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
## Affected Versions
Loofah < 2.2.1, but only:
* when running on MRI or RBX,
* in combination with libxml2 >= 2.9.2.
Please note: JRuby users are not affected.
Upgrade to Loofah 2.2.1.
## History of this public disclosure
2018-03-19: Initial vulnerability report published