GHSA-46fp-8f5p-pf2m (loofah): Improper detection of disallowed URIs by Loofah `allowed_uri?`
    
    
      
        


...

The RubyLA blog offers insights, tutorials, and community updates for Ruby developers in Los Angeles and beyond. Developers can explore Ruby language features, web development frameworks, and best practices for building Ruby applications. Additionally, the blog covers Ruby meetups, events, and job opportunities in the Los Angeles area, fostering collaboration and networking within the local Ruby community.

RUBYLAND

A security advisory for Loofah gem version 2.25.0 describes a flaw in the `allowed_uri?` method that fails to reject `javascript:` URIs when the scheme is split by HTML entity-encoded control characters (carriage return, line feed, or tab). The method strips literal control characters before decoding HTML entities, allowing payloads like `java&#13;script:alert(1)` to bypass the check. This only affects direct callers of `Loofah::HTML5::Scrub.allowed_uri?` with HTML-encoded strings — the default `sanitize()` path is unaffected. Applications using this method to validate user-controlled URLs for href attributes may be vulnerable to XSS. The fix is to upgrade to Loofah >= 2.25.1.