[CVE-2022-32209] Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer

[Mike Dalessio]

There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
This vulnerability has been assigned the CVE identifier CVE-2022-32209.

Versions Affected: ALL
Not affected: NONE
Fixed Versions: v1.4.3


## Impact

A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements.

Code is only impacted if allowed tags are being overridden. This may be done via application configuration:

```ruby
# In config/application.rb
config.action_view.sanitized_allowed_tags = ["select", "style"]
```

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

Or it may be done with a `:tags` option to the Action View helper `sanitize`:

```
<%= sanitize @comment.body, tags: ["select", "style"] %>
```

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

Or it may be done with Rails::Html::SafeListSanitizer directly:

```ruby
# class-level option
Rails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]
```

or

```ruby
# instance-level option
Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])
```

All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately.



## Releases

The FIXED releases are available at the normal locations.


## Workarounds

Remove either `select` or `style` from the overridden allowed tags.


## Credits

This vulnerability was responsibly reported by [windshock](https://hackerone.com/windshock?type=user).