GHSA-2j22-pr5w-6gq8
Loofah has improper detection of disallowed URIs via `allowed_uri?`
Details
## Summary
`Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject `javascript:` URIs when the scheme is split by HTML entity-encoded control characters such as ` ` (carriage return), ` ` (line feed), or `	` (tab).
## Details
The `allowed_uri?` method strips literal control characters before decoding HTML entities. Payloads like `java script:alert(1)` survive the control character strip, then ` ` is decoded to a carriage return, producing `java\rscript:alert(1)`.
Note that the Loofah sanitizer's default `sanitize()` path is **not affected** because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the `allowed_uri?` string-level helper when passing HTML-encoded strings.
## Impact
Applications that call `Loofah::HTML5::Scrub.allowed_uri?` to validate user-controlled URLs and then render approved URLs into `href` or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS).
This only affects Loofah `2.25.0`.
## Mitigation
Upgrade to Loofah >= `2.25.1`.
## Credit
Responsibly reported by HackOne user @smlee.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/flavorjones/loofah/security/advisories/GHSA-46fp-8f5p-pf2m [WEB]
- https://github.com/flavorjones/loofah/commit/f4ebc9c5193dde759a57541062e490e86fc7c068 [WEB]
- https://github.com/flavorjones/loofah [PACKAGE]
- https://github.com/flavorjones/loofah/releases/tag/v2.25.1 [WEB]
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/GHSA-46fp-8f5p-pf2m.yml [WEB]