GHSA-46fp-8f5p-pf2m
Improper detection of disallowed URIs by Loofah `allowed_uri?`
Details
## Summary
`Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject `javascript:` URIs when the scheme is split by HTML entity-encoded control characters such as ` ` (carriage return), ` ` (line feed), or `	` (tab).
## Details
The `allowed_uri?` method strips literal control characters before decoding HTML entities. Payloads like `java script:alert(1)` survive the control character strip, then ` ` is decoded to a carriage return, producing `java\rscript:alert(1)`.
Note that the Loofah sanitizer's default `sanitize()` path is **not affected** because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the `allowed_uri?` string-level helper when passing HTML-encoded strings.
## Impact
Applications that call `Loofah::HTML5::Scrub.allowed_uri?` to validate user-controlled URLs and then render approved URLs into `href` or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS).
This only affects Loofah `2.25.0`.
## Mitigation
Upgrade to Loofah >= `2.25.1`.
## Credit
Responsibly reported by HackOne user `@smlee`.
Are you affected?
Enter the version of the package you're using.