There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
This vulnerability has been assigned the CVE identifier CVE-2022-32209.
Versions Affected: ALL
Not affected: NONE
Fixed Versions: v1.4.3
## Impact
A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements.
Code is only impacted if allowed tags are being overridden. This may be done via application configuration:
```ruby
# In config/application.rb
config.action_view.sanitized_allowed_tags = ["select", "style"]
```
see
https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may be done with a `:tags` option to the Action View helper `sanitize`:
```
<%= sanitize @comment.body, tags: ["select", "style"] %>
```
see
https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be done with Rails::Html::SafeListSanitizer directly:
```ruby
# class-level option
Rails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]
```
or
```ruby
# instance-level option
Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])
```
All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately.
## Releases
The FIXED releases are available at the normal locations.
## Workarounds
Remove either `select` or `style` from the overridden allowed tags.
## Credits
This vulnerability was responsibly reported by [windshock](
https://hackerone.com/windshock?type=user).