GHSA-46FP-8F5P-PF2M: GHSA-46fp-8f5p-pf2m: XSS Filter Bypass via Improper HTML Entity Decoding in Loofah allowed_uri?

GHSA-46fp-8f5p-pf2m: XSS Filter Bypass via Improper HTML Entity Decoding in Loofah allowed_uri? Vulnerability ID: GHSA-46FP-8F5P-PF2M CVSS Score: 5.3 Published: 2026-03-18 The Loofah Ruby gem version 2.25.0 contains an improper URI validation vulnerability in the Loofah::HTML5::Scrub.allowed_uri? helper method. An attacker can bypass protocol validation by using HTML-encoded control characters, leading to Cross-Site Scripting (XSS) when the validated URI is rendered in a browser. TL;DR Direct use of Loofah's allowed_uri? method fails to properly sanitize HTML-encoded control characters in URIs. Attackers can exploit this by passing payloads like javascript:alert(1) , bypassing validation and achieving XSS when browsers render and decode the string. Default Loofah.sanitize() calls are not affected. ⚠️ Exploit Status: POC Technical Details Vulnerability Class : Improper URI Validation / Filter Bypass CWE ID : CWE-79 / CWE-116 Attack Vector : Network (AV:N) CVSS v4.0 Score : 5.3 (Med

GHSA-46FP-8F5P-PF2M: GHSA-46fp-8f5p-pf2m: XSS Filter Bypass via Improper HTML Entity Decoding in Loofah allowed_uri?

Related Articles

You still have time! Submit your project!

The Long Walk Out of venv and embracing UV

Everyone Says Project Loom Changes Everything. Does It Really?

Code Review Is Not About Being Right. It’s About Making Code Obvious.

Maximizing Your Solana Experience with RefundYourSOL (RYS)

Related Articles

News
You still have time! Submit your project!
Dev.to • 11m ago

News
The Long Walk Out of venv and embracing UV
Medium Programming • 16m ago

News
Everyone Says Project Loom Changes Everything. Does It Really?
Medium Programming • 30m ago

News
Code Review Is Not About Being Right. It’s About Making Code Obvious.
Medium Programming • 54m ago

News
Maximizing Your Solana Experience with RefundYourSOL (RYS)
Medium Programming • 57m ago