{"schema_version":"1.7.3","id":"GHSA-vfpf-xmwh-8m65","published":"2025-11-07T23:17:31Z","modified":"2025-11-10T15:55:21.051886Z","withdrawn":"2025-11-10T15:37:06Z","summary":"Duplicate Advisory: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values","details":"## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-52c5-vh7f-26fx. This link is maintained to preserve external references.\n\n## Original Description\n\n### Impact\n\nThe prosemirror_to_html gem is vulnerable to Cross-Site Scripting\n(XSS) attacks through malicious HTML attribute values. While tag\ncontent is properly escaped, attribute values are not, allowing\nattackers to inject arbitrary JavaScript code.\n\n**Who is impacted:**\n\n- Any application using prosemirror_to_html to convert ProseMirror\n  documents to HTML\n- Applications that process user-generated ProseMirror content are\n  at highest risk\n- End users viewing the rendered HTML output could have malicious\n JavaScript executed in their browsers\n\n**Attack vectors include:**\n\n- `href` attributes with `javascript:` protocol:\n  `<a href=\"javascript:alert(document.cookie)\">`\n- Event handlers: `<div onclick=\"maliciousCode()\">`\n- `onerror` attributes on images: `<img src=x onerror=\"alert('XSS')\">`\n- Other HTML attributes that can execute JavaScript\n\n### Patches\n\nA fix is currently in development. Users should upgrade to version\n**0.2.1** or later once released.\n\nThe patch escapes all HTML attribute values using `CGI.escapeHTML`\nto prevent injection attacks.\n\n### Workarounds\n\nUntil a patched version is available, users can implement one or\nmore of these mitigations:\n\n1. **Sanitize output**: Pass the HTML output through a sanitization\n   library like [Sanitize](https://github.com/rgrove/sanitize) or\n   [Loofah](https://github.com/flavorjones/loofah):\n\n```ruby\n   html = ProsemirrorToHtml.render(document)\n   safe_html = Sanitize.fragment(html, Sanitize::Config::RELAXED)\n```\n\n2. **Implement Content Security Policy (CSP)**: Add strict CSP\n   headers to prevent inline JavaScript execution:\n```\n   Content-Security-Policy: default-src 'self'; script-src 'self'\n```\n\n3. **Input validation**: If possible, validate and sanitize\n   ProseMirror documents before conversion to prevent malicious\n   content from entering the system.\n\n### References\n\n- Vulnerable code: https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249\n- [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)","affected":[{"package":{"name":"prosemirror_to_html","ecosystem":"RubyGems","purl":"pkg:gem/prosemirror_to_html"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.2.1"}]}],"versions":["0.1.0","0.2.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-vfpf-xmwh-8m65/GHSA-vfpf-xmwh-8m65.json"}}],"references":[{"type":"WEB","url":"https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx"},{"type":"WEB","url":"https://github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8"},{"type":"PACKAGE","url":"https://github.com/etaminstudio/prosemirror_to_html"},{"type":"WEB","url":"https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249"},{"type":"WEB","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/prosemirror_to_html/GHSA-52c5-vh7f-26fx.yml"}],"database_specific":{"cwe_ids":["CWE-79"],"github_reviewed":true,"github_reviewed_at":"2025-11-07T23:17:31Z","nvd_published_at":null,"severity":"HIGH"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"}]}