version 1.3.0 XSS Vulnerability

Question

version 1.3.0 XSS Vulnerability

kaspatel-mdsol opened this issue 4 years ago · comments

Kashyap H Patel commented 4 years ago

Version 1.3.0 still has XSS vulnerabilities. Is there any plans to fix it?

Rafael Mendonça França · Answer 1 · Tue Apr 14 2020 00:48:59 GMT+0800 (China Standard Time)

Which XSS vulnerabilities? Care to expand on that?

Andy Nicholson · Answer 2 · Tue Apr 14 2020 13:29:27 GMT+0800 (China Standard Time)

@rafaelfranca bundle audit reports vulnerabilities for 1.3.0, perhaps erroneously?

I just hit this on my Rails 5.2 app:

Name: rails-html-sanitizer
Version: 1.3.0
Advisory: CVE-2015-7578
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI
Title: Possible XSS vulnerability in rails-html-sanitizer
Solution: upgrade to ~> 1.0.3

Name: rails-html-sanitizer
Version: 1.3.0
Advisory: CVE-2015-7580
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI
Title: Possible XSS vulnerability in rails-html-sanitizer
Solution: upgrade to ~> 1.0.3

Name: rails-html-sanitizer
Version: 1.3.0
Advisory: CVE-2015-7579
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/OU9ugTZcbjc
Title: XSS vulnerability in rails-html-sanitizer
Solution: upgrade to ~> 1.0.3

Vulnerabilities found!

Rafael Mendonça França · Answer 3 · Tue Apr 14 2020 23:59:00 GMT+0800 (China Standard Time)

Yes, that is an error on bundle audit.

Sean · Answer 4 · Sun Jan 31 2021 23:38:37 GMT+0800 (China Standard Time)

Am still getting the same error.