{"id":123435,"url":"https://github.com/rails/rails-html-sanitizer","last_synced_at":"2026-05-14T20:30:27.604Z","repository":{"id":10807221,"uuid":"13080550","full_name":"rails/rails-html-sanitizer","owner":"rails","description":null,"archived":false,"fork":false,"pushed_at":"2026-02-24T18:45:50.000Z","size":399,"stargazers_count":330,"open_issues_count":9,"forks_count":86,"subscribers_count":21,"default_branch":"main","last_synced_at":"2026-04-25T10:05:41.212Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rails.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"MIT-LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2013-09-25T00:54:20.000Z","updated_at":"2026-04-23T20:52:52.000Z","dependencies_parsed_at":"2023-12-02T02:14:53.855Z","dependency_job_id":"9a9117be-2d10-4434-93d8-c22c2b90a76c","html_url":"https://github.com/rails/rails-html-sanitizer","commit_stats":{"total_commits":234,"total_committers":34,"mean_commits":6.882352941176471,"dds":0.5726495726495726,"last_synced_commit":"08e39d99059c1179efd5e50fdb3bc60a262973f8"},"previous_names":["rafaelfranca/rails-html-sanitizer"],"tags_count":20,"template":false,"template_full_name":null,"purl":"pkg:github/rails/rails-html-sanitizer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/sbom","scorecard":{"id":759289,"data":{"date":"2025-08-11","repo":{"name":"github.com/rails/rails-html-sanitizer","commit":"c7ab9f2f52b403dfd7fcfb99c4fe1a42f0a91549"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.7,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":0,"reason":"Found 0/15 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":1,"reason":"2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: MIT-LICENSE:0","Info: FSF or OSI recognized license: MIT License: MIT-LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 18 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-353f-x4gh-cqq8","Warn: Project is vulnerable to: GHSA-5w6v-399v-w3cc"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T22:49:30.398Z","repository_id":10807221,"created_at":"2025-08-22T22:49:30.398Z","updated_at":"2025-08-22T22:49:30.398Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32375961,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-28T09:24:15.638Z","status":"ssl_error","status_checked_at":"2026-04-28T09:24:15.071Z","response_time":56,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"owner":{"login":"rails","name":"Ruby on Rails","uuid":"4223","kind":"organization","description":"","email":null,"website":"https://rubyonrails.org/","location":null,"twitter":null,"company":null,"icon_url":"https://avatars.githubusercontent.com/u/4223?v=4","repositories_count":116,"last_synced_at":"2023-04-09T03:40:20.529Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/rails","funding_links":[],"total_stars":114333,"followers":null,"following":null,"created_at":"2022-11-02T16:17:13.297Z","updated_at":"2023-04-09T03:40:20.550Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails/repositories"},"packages":[{"id":281551,"name":"rails-html-sanitizer","ecosystem":"rubygems","description":"HTML sanitization for Rails applications","homepage":"https://github.com/rails/rails-html-sanitizer","licenses":"MIT","normalized_licenses":["MIT"],"repository_url":"https://github.com/rails/rails-html-sanitizer","keywords_array":[],"namespace":null,"versions_count":20,"first_release_published_at":"2014-08-19T19:47:15.038Z","latest_release_published_at":"2026-02-24T18:46:02.899Z","latest_release_number":"1.7.0","last_synced_at":"2026-05-14T19:13:25.953Z","created_at":"2022-04-06T08:19:41.033Z","updated_at":"2026-05-14T19:13:25.953Z","registry_url":"https://rubygems.org/gems/rails-html-sanitizer","install_command":"gem install rails-html-sanitizer -s https://rubygems.org","documentation_url":"http://www.rubydoc.info/gems/rails-html-sanitizer/","metadata":{"funding":null},"repo_metadata":{"id":10807221,"uuid":"13080550","full_name":"rails/rails-html-sanitizer","owner":"rails","description":null,"archived":false,"fork":false,"pushed_at":"2024-10-28T18:44:48.000Z","size":335,"stargazers_count":305,"open_issues_count":10,"forks_count":83,"subscribers_count":26,"default_branch":"main","last_synced_at":"2024-10-29T14:14:59.623Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rails.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"MIT-LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2013-09-25T00:54:20.000Z","updated_at":"2024-10-25T02:01:18.000Z","dependencies_parsed_at":"2023-12-02T02:14:53.855Z","dependency_job_id":"9a9117be-2d10-4434-93d8-c22c2b90a76c","html_url":"https://github.com/rails/rails-html-sanitizer","commit_stats":{"total_commits":163,"total_committers":27,"mean_commits":6.037037037037037,"dds":0.6871165644171779,"last_synced_commit":"0c567b4b5a0c237ca880037034d390211b089d5b"},"previous_names":["rafaelfranca/rails-html-sanitizer"],"tags_count":17,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":222088726,"owners_count":16929012,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"rails","name":"Ruby on Rails","uuid":"4223","kind":"organization","description":"","email":null,"website":"https://rubyonrails.org/","location":null,"twitter":null,"company":null,"icon_url":"https://avatars.githubusercontent.com/u/4223?v=4","repositories_count":116,"last_synced_at":"2023-04-09T03:40:20.529Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/rails","funding_links":[],"total_stars":114333,"followers":null,"following":null,"created_at":"2022-11-02T16:17:13.297Z","updated_at":"2023-04-09T03:40:20.550Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails/repositories"},"tags":[{"name":"v1.6.0","sha":"19fd6cd66f31316642e758bf01a410f3fd128f42","kind":"commit","published_at":"2023-05-26T13:20:28.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0/manifests"},{"name":"v1.6.0.rc2","sha":"3b31be5adbf1a351d3acd2527aaa687978caee81","kind":"commit","published_at":"2023-05-24T21:18:26.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.0.rc2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.0.rc2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc2/manifests"},{"name":"v1.6.0.rc1","sha":"5419017d38a5544f8bffd8b23ea67862e4350215","kind":"commit","published_at":"2023-05-24T16:19:29.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.0.rc1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.0.rc1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc1/manifests"},{"name":"v1.5.0","sha":"a337ec8a348b15a5ae52c5698cbf38dbc50bf34d","kind":"commit","published_at":"2023-01-20T18:52:01.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.5.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.5.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.5.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.5.0/manifests"},{"name":"v1.4.4","sha":"fd63deaeb22e601237d4d4d12014e7ebd410ea9b","kind":"commit","published_at":"2022-12-12T22:43:11.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.4","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.4","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.4/manifests"},{"name":"v1.4.3","sha":"f83f08c81a3a33ce0fb1c379933c416ae80672fa","kind":"commit","published_at":"2022-06-09T22:23:09.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.3","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.3","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.3/manifests"},{"name":"v1.4.2","sha":"c86fed1dedb5380a4e46df5b4e8ee2904eac369d","kind":"commit","published_at":"2021-08-24T00:15:05.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.2/manifests"},{"name":"v1.4.1","sha":"b41bc7a9d04190d4237aa263c9a2ff70afbcc5bf","kind":"commit","published_at":"2021-08-18T20:51:54.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.1/manifests"},{"name":"v1.4.0","sha":"2e9ec19859c03c15c912732e5528ea0e8a7326da","kind":"commit","published_at":"2021-08-18T17:10:27.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.0/manifests"},{"name":"v1.3.0","sha":"51dc564c6509201070f72456bb2c13f87bb373d6","kind":"commit","published_at":"2019-10-06T15:12:45.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.3.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.3.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.3.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.3.0/manifests"},{"name":"v1.2.0","sha":"b8ea80d5f840a834a808a2171df3ada524b2a010","kind":"tag","published_at":"2019-08-08T22:04:05.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.2.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.2.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.2.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.2.0/manifests"},{"name":"v1.1.0","sha":"df0c946aa0c1913e9b8e94be96da59fb57ec9d67","kind":"tag","published_at":"2019-08-05T01:14:03.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.1.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.1.0/manifests"},{"name":"v1.0.4","sha":"53bf066ac3a163546a9c7c44c30998c21068c42d","kind":"tag","published_at":"2018-03-22T19:03:40.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.4","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.4","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.4/manifests"},{"name":"v1.0.3","sha":"5c4354db7524b1df891df0a3e29877ce9f7575ca","kind":"tag","published_at":"2016-01-25T18:28:49.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.3","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.3","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.3/manifests"},{"name":"v1.0.2","sha":"4f0f7810fce6c8aa63de07a40d69d6027a30acaf","kind":"tag","published_at":"2015-03-06T23:41:30.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.2/manifests"},{"name":"v1.0.1","sha":"6b14d6a9e11b58253337df95f2b699665cf8b463","kind":"tag","published_at":"2014-09-25T16:05:46.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.1/manifests"},{"name":"v1.0.0","sha":"71d89f668ee103b8a8422155ac61fe9f0754946d","kind":"tag","published_at":"2014-08-19T19:46:56.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.0/manifests"}]},"repo_metadata_updated_at":"2024-10-29T19:53:11.320Z","dependent_packages_count":32,"downloads":659090390,"downloads_period":"total","dependent_repos_count":517903,"rankings":{"downloads":0.03177930665358326,"dependent_repos_count":0.028991648175198764,"dependent_packages_count":0.786119690904428,"stargazers_count":3.308950613842397,"forks_count":2.3667220481484375,"docker_downloads_count":0.1444007091803169,"average":1.1111606694840603},"purl":"pkg:gem/rails-html-sanitizer","advisories":[{"uuid":"GSA_kwCzR0hTQS1yeHY1LWd4cWMteHg4Z84ABB_x","url":"https://github.com/advisories/GHSA-rxv5-gxqc-xx8g","title":"rails-html-sanitizer has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"noscript\" element is explicitly allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow all of these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"noscript\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"noscript\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"noscript\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"noscript\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"noscript\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include \"noscript\" should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"noscript\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2509647\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T22:18:27.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rxv5-gxqc-xx8g","https://nvd.nist.gov/vuln/detail/CVE-2024-53989","https://github.com/rails/rails-html-sanitizer/commit/16251735e36ebdc302e2f90f2a39cad56879414f","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53989.yml","https://github.com/advisories/GHSA-rxv5-gxqc-xx8g"],"source_kind":"github","identifiers":["GHSA-rxv5-gxqc-xx8g","CVE-2024-53989"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T23:06:49.936Z","updated_at":"2026-04-27T16:04:01.076Z","epss_percentage":0.0228,"epss_percentile":0.84726,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yeHY1LWd4cWMteHg4Z84ABB_x","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1yeHY1LWd4cWMteHg4Z84ABB_x","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yeHY1LWd4cWMteHg4Z84ABB_x/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS0yeDVtLTljaDQtcWdycs4ABB_u","url":"https://github.com/advisories/GHSA-2x5m-9ch4-qgrr","title":"rails-html-sanitizer has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"style\" element is explicitly allowed\n- the \"svg\" or \"math\" element is not allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow all of these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"style\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"style\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"style\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"style\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include \"style\" and omit \"svg\" or \"math\" should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"style\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2519936\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T21:48:56.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-2x5m-9ch4-qgrr","https://nvd.nist.gov/vuln/detail/CVE-2024-53987","https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53987.yml","https://github.com/advisories/GHSA-2x5m-9ch4-qgrr"],"source_kind":"github","identifiers":["GHSA-2x5m-9ch4-qgrr","CVE-2024-53987"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T22:07:13.966Z","updated_at":"2026-04-27T16:04:01.077Z","epss_percentage":0.01968,"epss_percentile":0.83587,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yeDVtLTljaDQtcWdycs4ABB_u","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS0yeDVtLTljaDQtcWdycs4ABB_u","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yeDVtLTljaDQtcWdycs4ABB_u/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1jZmp4LXcyMjktaGd4Nc4ABB_t","url":"https://github.com/advisories/GHSA-cfjx-w229-hgx5","title":"rails-html-sanitizer has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"math\", \"mtext\", \"table\", and \"style\" elements are allowed\n- and either \"mglyph\" or \"malignmark\" are allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow all of these elements except for \"table\". Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"]\n  # or\n  config.action_view.sanitized_allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"] %\u003e\n  \u003c%# or %\u003e\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"]\n  # or\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"])\n  # or\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"]\n  # or\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include (\"math\" and \"mtext\" and \"table\" and \"style\" and (\"mglyph\" or \"malignmark\")) should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"mglyph\" and \"malignmark\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2519936\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T21:48:42.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5","https://nvd.nist.gov/vuln/detail/CVE-2024-53988","https://github.com/rails/rails-html-sanitizer/commit/a0a3e8b76b696446ffc6bffcff3bc7b7c6393c72","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53988.yml","https://github.com/advisories/GHSA-cfjx-w229-hgx5"],"source_kind":"github","identifiers":["GHSA-cfjx-w229-hgx5","CVE-2024-53988"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T22:07:14.020Z","updated_at":"2026-04-27T16:04:01.077Z","epss_percentage":0.0228,"epss_percentile":0.84726,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jZmp4LXcyMjktaGd4Nc4ABB_t","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1jZmp4LXcyMjktaGd4Nc4ABB_t","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jZmp4LXcyMjktaGd4Nc4ABB_t/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS02MzhqLXBtanctanE0OM4ABB_s","url":"https://github.com/advisories/GHSA-638j-pmjw-jq48","title":"rails-html-sanitizer has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"math\" and \"style\" elements are both explicitly allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"style\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"style\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"style\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"style\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include both \"math\" and \"style\" should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"math\" or \"style\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2519941\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T21:48:24.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-638j-pmjw-jq48","https://nvd.nist.gov/vuln/detail/CVE-2024-53986","https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53986.yml","https://github.com/advisories/GHSA-638j-pmjw-jq48"],"source_kind":"github","identifiers":["GHSA-638j-pmjw-jq48","CVE-2024-53986"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T22:07:14.065Z","updated_at":"2026-04-27T16:04:01.078Z","epss_percentage":0.02649,"epss_percentile":0.85796,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02MzhqLXBtanctanE0OM4ABB_s","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS02MzhqLXBtanctanE0OM4ABB_s","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02MzhqLXBtanctanE0OM4ABB_s/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS13OGdjLXgyNTktcmM3eM4ABB_r","url":"https://github.com/advisories/GHSA-w8gc-x259-rc7x","title":"rails-html-sanitize has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0 and Nokogiri \u003c 1.15.7, or 1.16.x \u003c 1.16.8.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\nPlease note that the fix in v1.6.1 is to update the dependency on Nokogiri to 1.15.7 or \u003e= 1.16.8.\n\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in either of the following ways:\n\n* allow both \"math\" and \"style\" elements\n* or allow both \"svg\" and \"style\" elements\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nCode is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"style\"]\n  # or\n  config.action_view.sanitized_allowed_tags = [\"svg\", \"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"style\"] %\u003e\n  \u003c%# or %\u003e\n  \u003c%= sanitize @comment.body, tags: [\"svg\", \"style\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"style\"]\n  # or\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"svg\", \"style\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"style\"])\n  # or\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"svg\", \"style\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"style\"]\n  # or\n  ActionText::ContentHelper.allowed_tags = [\"svg\", \"style\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include ((\"math\" or \"svg\") and \"style\") should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"style\" from the overridden allowed tags,\n- Or, remove \"math\" and \"svg\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information)\n- Or, independently upgrade Nokogiri to v1.15.7 or \u003e= 1.16.8.\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2503220\n\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T21:48:14.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x","https://nvd.nist.gov/vuln/detail/CVE-2024-53985","https://github.com/rails/rails-html-sanitizer/commit/b0220b8850d52199a15f83c472d175a4122dd7b1","https://github.com/rails/rails-html-sanitizer/commit/cd18b0ef00aad1d4a9e1c5d860cd23f80f63c505","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53985.yml","https://github.com/advisories/GHSA-w8gc-x259-rc7x"],"source_kind":"github","identifiers":["GHSA-w8gc-x259-rc7x","CVE-2024-53985"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T22:07:14.111Z","updated_at":"2026-05-09T06:03:37.616Z","epss_percentage":0.02195,"epss_percentile":0.8451,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13OGdjLXgyNTktcmM3eM4ABB_r","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS13OGdjLXgyNTktcmM3eM4ABB_r","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13OGdjLXgyNTktcmM3eM4ABB_r/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1ycmZjLTdnOHAtOTlxOM4AAwSi","url":"https://github.com/advisories/GHSA-rrfc-7g8p-99q8","title":"Possible XSS vulnerability with certain configurations of rails-html-sanitizer","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209.\n\n- Versions affected: ALL\n- Not affected: NONE\n- Fixed versions: 1.4.4\n\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both \"select\" and \"style\" elements.\n\nCode is only impacted if allowed tags are being overridden using either of the following two mechanisms:\n\n1. Using the Rails configuration `config.action_view.sanitized_allow_tags=`:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"select\", \"style\"]\n  ```\n\n  (see https://guides.rubyonrails.org/configuring.html#configuring-action-view)\n\n2. Using the class method `Rails::Html::SafeListSanitizer.allowed_tags=`:\n\n  ```ruby\n  # class-level option\n  Rails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]\n  ```\n\nAll users overriding the allowed tags by either of the above mechanisms to include both \"select\" and \"style\" should either upgrade or use one of the workarounds immediately.\n\nNOTE: Code is _not_ impacted if allowed tags are overridden using either of the following mechanisms:\n\n- the `:tags` option to the Action View helper method `sanitize`.\n- the `:tags` option to the instance method `SafeListSanitizer#sanitize`.\n\n\n## Workarounds\n\nRemove either \"select\" or \"style\" from the overridden allowed tags.\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32209\n- https://hackerone.com/reports/1654310\n\n\n## Credit\n\nThis vulnerability was responsibly reported by Dominic Breuker.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-12-13T17:51:40.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8","https://hackerone.com/reports/1654310","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23520.yml","https://nvd.nist.gov/vuln/detail/CVE-2022-23520","https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://github.com/advisories/GHSA-rrfc-7g8p-99q8"],"source_kind":"github","identifiers":["GHSA-rrfc-7g8p-99q8","CVE-2022-23520"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:11:45.390Z","updated_at":"2026-05-14T17:09:31.215Z","epss_percentage":0.00363,"epss_percentile":0.58418,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ycmZjLTdnOHAtOTlxOM4AAwSi","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1ycmZjLTdnOHAtOTlxOM4AAwSi","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.4","vulnerable_version_range":"\u003c 1.4.4"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":658647632,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3"],"unaffected_versions":["1.4.4","1.5.0","1.6.0","1.6.0.rc1","1.6.0.rc2","1.6.1","1.6.2","1.7.0"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ycmZjLTdnOHAtOTlxOM4AAwSi/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS05aDlnLTkzZ2MtNjIzaM4AAwSh","url":"https://github.com/advisories/GHSA-9h9g-93gc-623h","title":"Possible XSS vulnerability with certain configurations of rails-html-sanitizer","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.\n\n- Versions affected: ALL\n- Not affected: NONE\n- Fixed versions: 1.4.4\n\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways:\n\n- allow both \"math\" and \"style\" elements,\n- or allow both \"svg\" and \"style\" elements\n\nCode is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways:\n\n1. using application configuration:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"style\"]\n  # or\n  config.action_view.sanitized_allowed_tags = [\"svg\", \"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"style\"] %\u003e\n  \u003c%# or %\u003e\n  \u003c%= sanitize @comment.body, tags: [\"svg\", \"style\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. using Rails::Html::SafeListSanitizer class method `allowed_tags=`:\n\n  ```ruby\n  # class-level option\n  Rails::Html::SafeListSanitizer.allowed_tags = [\"math\", \"style\"]\n  # or\n  Rails::Html::SafeListSanitizer.allowed_tags = [\"svg\", \"style\"]\n  ```\n\n4. using a `:tags` options to the Rails::Html::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"style\"])\n  # or\n  Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"svg\", \"style\"])\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include ((\"math\" or \"svg\") and \"style\") should either upgrade or use one of the workarounds immediately.\n\n\n## Workarounds\n\nRemove \"style\" from the overridden allowed tags, or remove \"math\" and \"svg\" from the overridden allowed tags.\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- https://hackerone.com/reports/1656627\n\n\n## Credit\n\nThis vulnerability was responsibly reported by Dominic Breuker.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-12-13T17:50:25.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h","https://hackerone.com/reports/1656627","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23519.yml","https://nvd.nist.gov/vuln/detail/CVE-2022-23519","https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://github.com/advisories/GHSA-9h9g-93gc-623h"],"source_kind":"github","identifiers":["GHSA-9h9g-93gc-623h","CVE-2022-23519"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:11:45.399Z","updated_at":"2026-05-14T17:09:31.215Z","epss_percentage":0.00152,"epss_percentile":0.35301,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05aDlnLTkzZ2MtNjIzaM4AAwSh","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS05aDlnLTkzZ2MtNjIzaM4AAwSh","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.4","vulnerable_version_range":"\u003c 1.4.4"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":658647632,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3"],"unaffected_versions":["1.4.4","1.5.0","1.6.0","1.6.0.rc1","1.6.0.rc2","1.6.1","1.6.2","1.7.0"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05aDlnLTkzZ2MtNjIzaM4AAwSh/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1tY3ZmLTJxMm0teDcybc4AAwSg","url":"https://github.com/advisories/GHSA-mcvf-2q2m-x72m","title":"Improper neutralization of data URIs may allow XSS in rails-html-sanitizer","description":"## Summary\n\nrails-html-sanitizer `\u003e= 1.0.3, \u003c 1.4.4` is vulnerable to cross-site scripting via data URIs when used in combination with Loofah `\u003e= 2.1.0`.\n\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `\u003e= 1.4.4`.\n\n\n## Severity\n\nThe maintainers have evaluated this as [Medium Severity 6.1](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- [SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg](https://github.com/w3c/svgwg/issues/266)\n- https://github.com/rails/rails-html-sanitizer/issues/135\n- https://hackerone.com/reports/1694173\n\n\n## Credit\n\nThis vulnerability was independently reported by Maciej Piechota (@haqpl) and Mrinmoy Das (@goromlagche).","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-12-13T17:45:39.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m","https://github.com/rails/rails-html-sanitizer/issues/135","https://github.com/w3c/svgwg/issues/266","https://hackerone.com/reports/1694173","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23518.yml","https://nvd.nist.gov/vuln/detail/CVE-2022-23518","https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://github.com/advisories/GHSA-mcvf-2q2m-x72m"],"source_kind":"github","identifiers":["GHSA-mcvf-2q2m-x72m","CVE-2022-23518"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:11:45.408Z","updated_at":"2026-05-14T17:09:31.216Z","epss_percentage":0.00276,"epss_percentile":0.50928,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tY3ZmLTJxMm0teDcybc4AAwSg","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1tY3ZmLTJxMm0teDcybc4AAwSg","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.4","vulnerable_version_range":"\u003e= 1.0.3, \u003c 1.4.4"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":658647632,"downloads_period":"total"},"affected_versions":["1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3"],"unaffected_versions":["1.0.0","1.0.1","1.0.2","1.4.4","1.5.0","1.6.0","1.6.0.rc1","1.6.0.rc2","1.6.1","1.6.2","1.7.0"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tY3ZmLTJxMm0teDcybc4AAwSg/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS01eDc5LXc4MmYtZ3c4d84AAwSf","url":"https://github.com/advisories/GHSA-5x79-w82f-gw8w","title":"Inefficient Regular Expression Complexity in rails-html-sanitizer","description":"## Summary\n\nCertain configurations of rails-html-sanitizer `\u003c 1.4.4` use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.\n\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `\u003e= 1.4.4`.\n\n\n## Severity\n\nThe maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n\n## References\n\n- [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html)\n- https://hackerone.com/reports/1684163\n\n\n## Credit\n\nThis vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2022-12-13T17:43:02.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w","https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979","https://hackerone.com/reports/1684163","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23517.yml","https://nvd.nist.gov/vuln/detail/CVE-2022-23517","https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://github.com/advisories/GHSA-5x79-w82f-gw8w"],"source_kind":"github","identifiers":["GHSA-5x79-w82f-gw8w","CVE-2022-23517"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:11:45.416Z","updated_at":"2026-05-14T00:07:14.756Z","epss_percentage":0.00261,"epss_percentile":0.49427,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01eDc5LXc4MmYtZ3c4d84AAwSf","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS01eDc5LXc4MmYtZ3c4d84AAwSf","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.4","vulnerable_version_range":"\u003c 1.4.4"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01eDc5LXc4MmYtZ3c4d84AAwSf/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1wZzh2LWc0eHEtaHd3Oc4AAs-c","url":"https://github.com/advisories/GHSA-pg8v-g4xq-hww9","title":"Rails::Html::Sanitizer vulnerable to Cross-site Scripting","description":"Versions of Rails::Html::Sanitizer prior to version 1.4.3 are vulnerable to XSS with certain configurations of Rails::Html::Sanitizer which  allows an attacker to inject content when the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements. Code is only impacted if allowed tags are being overridden. \n\nThis may be done via application configuration: ```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = [\"select\", \"style\"]```\n\nsee https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\nOr it may be done with a `:tags` option to the Action View helper `sanitize`: ```\u003c%= sanitize @comment.body, tags: [\"select\", \"style\"] %\u003e``` \n\nsee https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize \n\nIt may also be done with Rails::Html::SafeListSanitizer directly: \n```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]```  or with\n```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"select\", \"style\"])```\n\nAll users overriding the allowed tags by any of the above mechanisms to include both \"select\" and \"style\" are recommended to upgrade immediately. A workaround for this issue can be applied by removing either `select` or `style` from the overridden allowed tags.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-06-25T00:00:54.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","references":["https://nvd.nist.gov/vuln/detail/CVE-2022-32209","https://hackerone.com/reports/1530898","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-32209.yml","https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s","https://lists.debian.org/debian-lts-announce/2022/12/msg00012.html","https://github.com/rails/rails-html-sanitizer/commit/45a5c10fed3d9aa141594c80afa06d748fa0967d","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47","https://github.com/advisories/GHSA-pg8v-g4xq-hww9"],"source_kind":"github","identifiers":["GHSA-pg8v-g4xq-hww9","CVE-2022-32209"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:12:14.237Z","updated_at":"2026-05-14T00:07:06.061Z","epss_percentage":0.05478,"epss_percentile":0.90265,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wZzh2LWc0eHEtaHd3Oc4AAs-c","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1wZzh2LWc0eHEtaHd3Oc4AAs-c","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.3","vulnerable_version_range":"\u003c 1.4.3"}],"purl":"pkg:gem/rails-html-sanitizer"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wZzh2LWc0eHEtaHd3Oc4AAs-c/related_packages","related_advisories":[]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTc3cGMtcTVxNy1xZzlo","url":"https://github.com/advisories/GHSA-77pc-q5q7-qg9h","title":"Moderate severity vulnerability that affects rails-html-sanitizer","description":"Withdrawn, accidental duplicate publish.\r\n\r\nCross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2018-09-17T21:58:30.000Z","withdrawn_at":"2020-06-16T21:21:56.000Z","classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7580","https://github.com/advisories/GHSA-77pc-q5q7-qg9h"],"source_kind":"github","identifiers":["GHSA-77pc-q5q7-qg9h"],"repository_url":null,"blast_radius":0.0,"created_at":"2022-12-21T16:13:36.116Z","updated_at":"2026-05-14T17:12:08.660Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTc3cGMtcTVxNy1xZzlo","html_url":"https://advisories.ecosyste.ms/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTc3cGMtcTVxNy1xZzlo","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":658647632,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2"],"unaffected_versions":["1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.0.rc1","1.6.0.rc2","1.6.1","1.6.2","1.7.0"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTc3cGMtcTVxNy1xZzlo/related_packages","related_advisories":[]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1yaGotMmc0di0zOXF4","url":"https://github.com/advisories/GHSA-mrhj-2g4v-39qx","title":"Moderate severity vulnerability that affects rails-html-sanitizer","description":"Withdrawn, accidental duplicate publish.\r\n\r\nCross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2018-09-17T21:58:19.000Z","withdrawn_at":"2020-06-16T21:47:07.000Z","classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7579","https://github.com/advisories/GHSA-mrhj-2g4v-39qx"],"source_kind":"github","identifiers":["GHSA-mrhj-2g4v-39qx"],"repository_url":null,"blast_radius":0.0,"created_at":"2022-12-21T16:13:36.125Z","updated_at":"2026-05-14T17:12:08.661Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1yaGotMmc0di0zOXF4","html_url":"https://advisories.ecosyste.ms/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1yaGotMmc0di0zOXF4","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"= 1.0.2"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":658647632,"downloads_period":"total"},"affected_versions":["1.0.2"],"unaffected_versions":["1.0.0","1.0.1","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.0.rc1","1.6.0.rc2","1.6.1","1.6.2","1.7.0"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1yaGotMmc0di0zOXF4/related_packages","related_advisories":[]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFjOGotbThqMy1yanE2","url":"https://github.com/advisories/GHSA-qc8j-m8j3-rjq6","title":"Moderate severity vulnerability that affects rails-html-sanitizer","description":"Withdrawn, accidental duplicate publish.\r\n\r\nCross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2018-09-17T21:57:58.000Z","withdrawn_at":"2020-06-17T15:15:01.000Z","classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7578","https://github.com/advisories/GHSA-qc8j-m8j3-rjq6"],"source_kind":"github","identifiers":["GHSA-qc8j-m8j3-rjq6"],"repository_url":null,"blast_radius":0.0,"created_at":"2022-12-21T16:13:36.134Z","updated_at":"2026-05-14T17:12:08.661Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFjOGotbThqMy1yanE2","html_url":"https://advisories.ecosyste.ms/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFjOGotbThqMy1yanE2","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":658647632,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2"],"unaffected_versions":["1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.0.rc1","1.6.0.rc2","1.6.1","1.6.2","1.7.0"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFjOGotbThqMy1yanE2/related_packages","related_advisories":[]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB4M3Itam05Zy1jOHc4","url":"https://github.com/advisories/GHSA-px3r-jm9g-c8w8","title":"rails-html-sanitizer Cross-site Scripting vulnerability","description":"There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2018-04-26T15:41:10.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","references":["https://nvd.nist.gov/vuln/detail/CVE-2018-3741","https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae","https://github.com/advisories/GHSA-px3r-jm9g-c8w8"],"source_kind":"github","identifiers":["GHSA-px3r-jm9g-c8w8","CVE-2018-3741"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:13:37.288Z","updated_at":"2026-05-14T17:12:10.138Z","epss_percentage":0.00129,"epss_percentile":0.32201,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB4M3Itam05Zy1jOHc4","html_url":"https://advisories.ecosyste.ms/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB4M3Itam05Zy1jOHc4","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.4","vulnerable_version_range":"\u003c 1.0.4"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":658647632,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2","1.0.3"],"unaffected_versions":["1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.0.rc1","1.6.0.rc2","1.6.1","1.6.2","1.7.0"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB4M3Itam05Zy1jOHc4/related_packages","related_advisories":[]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU5YzctNHhqMi1oZ3Z3","url":"https://github.com/advisories/GHSA-59c7-4xj2-hgvw","title":"rails-html-sanitizer Cross-site Scripting vulnerability","description":"Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2017-10-24T18:33:36.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.1,"cvss_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7578","https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4","https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ","http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html","http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html","http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html","http://www.openwall.com/lists/oss-security/2016/01/25/11","https://web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816","https://github.com/advisories/GHSA-59c7-4xj2-hgvw"],"source_kind":"github","identifiers":["GHSA-59c7-4xj2-hgvw","CVE-2015-7578"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:13:39.165Z","updated_at":"2026-05-14T17:12:11.842Z","epss_percentage":0.00166,"epss_percentile":0.37424,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU5YzctNHhqMi1oZ3Z3","html_url":"https://advisories.ecosyste.ms/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU5YzctNHhqMi1oZ3Z3","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":658647632,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2"],"unaffected_versions":["1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.0.rc1","1.6.0.rc2","1.6.1","1.6.2","1.7.0"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU5YzctNHhqMi1oZ3Z3/related_packages","related_advisories":[]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI5YzItY3IzOS1jOGc2","url":"https://github.com/advisories/GHSA-r9c2-cr39-c8g6","title":"rails-html-sanitizer Cross-site Scripting vulnerability","description":"Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the `Rails::Html::FullSanitizer` class.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2017-10-24T18:33:36.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.1,"cvss_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7579","https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f","https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ","http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html","http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html","http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html","http://www.openwall.com/lists/oss-security/2016/01/25/12","https://web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816","https://github.com/advisories/GHSA-r9c2-cr39-c8g6"],"source_kind":"github","identifiers":["GHSA-r9c2-cr39-c8g6","CVE-2015-7579"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:13:39.175Z","updated_at":"2026-05-14T17:12:11.842Z","epss_percentage":0.00166,"epss_percentile":0.37424,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI5YzItY3IzOS1jOGc2","html_url":"https://advisories.ecosyste.ms/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI5YzItY3IzOS1jOGc2","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":658647632,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2"],"unaffected_versions":["1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.0.rc1","1.6.0.rc2","1.6.1","1.6.2","1.7.0"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI5YzItY3IzOS1jOGc2/related_packages","related_advisories":[]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdocW0tcGd4ai0zN2dx","url":"https://github.com/advisories/GHSA-ghqm-pgxj-37gq","title":"rails-html-sanitizer Cross-site Scripting vulnerability","description":"Cross-site scripting (XSS) vulnerability in `lib/rails/html/scrubbers.rb` in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2017-10-24T18:33:36.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":6.1,"cvss_vector":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7580","https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78","https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html","http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html","http://www.openwall.com/lists/oss-security/2016/01/25/15","https://web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816","https://github.com/advisories/GHSA-ghqm-pgxj-37gq"],"source_kind":"github","identifiers":["GHSA-ghqm-pgxj-37gq","CVE-2015-7580"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:13:39.185Z","updated_at":"2026-05-14T17:12:11.842Z","epss_percentage":0.00163,"epss_percentile":0.37457,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdocW0tcGd4ai0zN2dx","html_url":"https://advisories.ecosyste.ms/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdocW0tcGd4ai0zN2dx","packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":658647632,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2"],"unaffected_versions":["1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.0.rc1","1.6.0.rc2","1.6.1","1.6.2","1.7.0"]}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdocW0tcGd4ai0zN2dx/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/rubygems/rails-html-sanitizer","docker_dependents_count":1354,"docker_downloads_count":821064172,"usage_url":"https://repos.ecosyste.ms/usage/rubygems/rails-html-sanitizer","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/rubygems/rails-html-sanitizer/dependencies","status":null,"funding_links":[],"critical":true,"issue_metadata":{"last_synced_at":"2024-10-29T17:32:32.376Z","issues_count":44,"pull_requests_count":91,"avg_time_to_close_issue":19941641.275,"avg_time_to_close_pull_request":804236.1627906977,"issues_closed_count":40,"pull_requests_closed_count":86,"pull_request_authors_count":45,"issue_authors_count":40,"avg_comments_per_issue":4.204545454545454,"avg_comments_per_pull_request":1.3076923076923077,"merged_pull_requests_count":64,"bot_issues_count":0,"bot_pull_requests_count":4,"past_year_issues_count":2,"past_year_pull_requests_count":19,"past_year_avg_time_to_close_issue":null,"past_year_avg_time_to_close_pull_request":117000.9375,"past_year_issues_closed_count":0,"past_year_pull_requests_closed_count":16,"past_year_pull_request_authors_count":11,"past_year_issue_authors_count":1,"past_year_avg_comments_per_issue":0.5,"past_year_avg_comments_per_pull_request":0.6842105263157895,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":4,"past_year_merged_pull_requests_count":16,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/issues","maintainers":[{"login":"flavorjones","count":40,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/flavorjones"},{"login":"akhilgkrishnan","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/akhilgkrishnan"},{"login":"amatsuda","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/amatsuda"}],"active_maintainers":[{"login":"flavorjones","count":8,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/flavorjones"},{"login":"akhilgkrishnan","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/akhilgkrishnan"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/packages/rails-html-sanitizer/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/packages/rails-html-sanitizer/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/packages/rails-html-sanitizer/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/packages/rails-html-sanitizer/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/packages/rails-html-sanitizer/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/packages/rails-html-sanitizer/codemeta","maintainers":[{"uuid":"43492","login":"jhawthorn","name":null,"email":null,"url":null,"packages_count":150,"html_url":"https://rubygems.org/profiles/jhawthorn","role":null,"created_at":"2022-11-09T09:46:58.693Z","updated_at":"2022-11-09T09:46:58.693Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/jhawthorn/packages"},{"uuid":"207","login":"tenderlove","name":null,"email":null,"url":null,"packages_count":189,"html_url":"https://rubygems.org/profiles/tenderlove","role":null,"created_at":"2022-11-09T09:46:58.885Z","updated_at":"2022-11-09T09:46:58.885Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/tenderlove/packages"},{"uuid":"54617","login":"kamipo","name":null,"email":null,"url":null,"packages_count":61,"html_url":"https://rubygems.org/profiles/kamipo","role":null,"created_at":"2022-11-09T09:46:58.685Z","updated_at":"2022-11-09T09:46:58.685Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/kamipo/packages"},{"uuid":"46413","login":"byroot","name":null,"email":null,"url":null,"packages_count":103,"html_url":"https://rubygems.org/profiles/byroot","role":null,"created_at":"2022-11-09T09:46:58.728Z","updated_at":"2022-11-09T09:46:58.728Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/byroot/packages"},{"uuid":"1550","login":"webster132","name":null,"email":null,"url":null,"packages_count":81,"html_url":"https://rubygems.org/profiles/webster132","role":null,"created_at":"2022-11-09T09:46:58.812Z","updated_at":"2022-11-09T09:46:58.812Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/webster132/packages"},{"uuid":"43998","login":"guilleiguaran","name":null,"email":null,"url":null,"packages_count":85,"html_url":"https://rubygems.org/profiles/guilleiguaran","role":null,"created_at":"2022-11-09T09:46:58.823Z","updated_at":"2022-11-09T09:46:58.823Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/guilleiguaran/packages"},{"uuid":"32977","login":"fxn","name":null,"email":null,"url":null,"packages_count":61,"html_url":"https://rubygems.org/profiles/fxn","role":null,"created_at":"2022-11-09T09:46:58.849Z","updated_at":"2022-11-09T09:46:58.849Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/fxn/packages"},{"uuid":"429","login":"cantoniodasilva","name":null,"email":null,"url":null,"packages_count":67,"html_url":"https://rubygems.org/profiles/cantoniodasilva","role":null,"created_at":"2022-11-09T09:46:58.875Z","updated_at":"2022-11-09T09:46:58.875Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/cantoniodasilva/packages"},{"uuid":"47349","login":"rafaelfranca","name":null,"email":null,"url":null,"packages_count":120,"html_url":"https://rubygems.org/profiles/rafaelfranca","role":null,"created_at":"2022-11-09T09:46:58.766Z","updated_at":"2022-11-09T09:46:58.766Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/rafaelfranca/packages"},{"uuid":"337","login":"jeremydaer","name":null,"email":null,"url":null,"packages_count":68,"html_url":"https://rubygems.org/profiles/jeremydaer","role":null,"created_at":"2022-11-09T09:46:58.789Z","updated_at":"2022-11-09T09:46:58.789Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/jeremydaer/packages"},{"uuid":"528","login":"matthewd","name":null,"email":null,"url":null,"packages_count":66,"html_url":"https://rubygems.org/profiles/matthewd","role":null,"created_at":"2022-11-09T09:46:58.892Z","updated_at":"2022-11-09T09:46:58.892Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/matthewd/packages"},{"uuid":"96878","login":"eileencodes","name":null,"email":null,"url":null,"packages_count":53,"html_url":"https://rubygems.org/profiles/eileencodes","role":null,"created_at":"2022-11-09T09:46:58.911Z","updated_at":"2022-11-09T09:46:58.911Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/eileencodes/packages"},{"uuid":"2583","login":"flavorjones","name":null,"email":null,"url":null,"packages_count":48,"html_url":"https://rubygems.org/profiles/flavorjones","role":null,"created_at":"2022-11-09T09:46:58.743Z","updated_at":"2022-11-09T09:46:58.743Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/flavorjones/packages"}],"registry":{"name":"rubygems.org","url":"https://rubygems.org","ecosystem":"rubygems","default":true,"packages_count":206959,"maintainers_count":68705,"namespaces_count":0,"keywords_count":18627,"github":"rubygems","metadata":{"funded_packages_count":7375},"icon_url":"https://github.com/rubygems.png","created_at":"2022-04-04T15:19:23.446Z","updated_at":"2026-05-13T05:11:24.133Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/packages","maintainers_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers","namespaces_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/namespaces"}},{"id":13950849,"name":"ruby-rails-html-sanitizer","ecosystem":"guix","description":"HTML sanitization for Rails applications","homepage":"https://github.com/rails/rails-html-sanitizer","licenses":"expat","normalized_licenses":["Other"],"repository_url":"https://github.com/rails/rails-html-sanitizer","keywords_array":[],"namespace":null,"versions_count":1,"first_release_published_at":"2026-03-02T19:04:10.601Z","latest_release_published_at":"2026-03-02T19:04:10.601Z","latest_release_number":"1.6.0","last_synced_at":"2026-04-27T16:22:49.745Z","created_at":"2026-03-02T19:04:10.362Z","updated_at":"2026-04-27T16:22:49.746Z","registry_url":"https://packages.guix.gnu.org/packages/ruby-rails-html-sanitizer/1.6.0/","install_command":"guix install ruby-rails-html-sanitizer","documentation_url":"https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/rails.scm#n461","metadata":{"location":"gnu/packages/rails.scm:461","variable_name":"ruby-rails-html-sanitizer"},"repo_metadata":{"id":10807221,"uuid":"13080550","full_name":"rails/rails-html-sanitizer","owner":"rails","description":null,"archived":false,"fork":false,"pushed_at":"2026-02-17T16:40:48.000Z","size":398,"stargazers_count":328,"open_issues_count":13,"forks_count":86,"subscribers_count":22,"default_branch":"main","last_synced_at":"2026-02-24T12:57:28.037Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rails.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"MIT-LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2013-09-25T00:54:20.000Z","updated_at":"2026-02-20T11:21:52.000Z","dependencies_parsed_at":"2023-12-02T02:14:53.855Z","dependency_job_id":"9a9117be-2d10-4434-93d8-c22c2b90a76c","html_url":"https://github.com/rails/rails-html-sanitizer","commit_stats":{"total_commits":234,"total_committers":34,"mean_commits":6.882352941176471,"dds":0.5726495726495726,"last_synced_commit":"08e39d99059c1179efd5e50fdb3bc60a262973f8"},"previous_names":["rafaelfranca/rails-html-sanitizer"],"tags_count":19,"template":false,"template_full_name":null,"purl":"pkg:github/rails/rails-html-sanitizer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/sbom","scorecard":{"id":759289,"data":{"date":"2025-08-11","repo":{"name":"github.com/rails/rails-html-sanitizer","commit":"c7ab9f2f52b403dfd7fcfb99c4fe1a42f0a91549"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.7,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":0,"reason":"Found 0/15 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":1,"reason":"2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: MIT-LICENSE:0","Info: FSF or OSI recognized license: MIT License: MIT-LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 18 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-353f-x4gh-cqq8","Warn: Project is vulnerable to: GHSA-5w6v-399v-w3cc"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T22:49:30.398Z","repository_id":10807221,"created_at":"2025-08-22T22:49:30.398Z","updated_at":"2025-08-22T22:49:30.398Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30016507,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-02T17:00:27.440Z","status":"ssl_error","status_checked_at":"2026-03-02T17:00:03.402Z","response_time":60,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"repo_metadata_updated_at":"2026-04-03T01:25:02.937Z","dependent_packages_count":0,"downloads":null,"downloads_period":null,"dependent_repos_count":0,"rankings":{"downloads":null,"dependent_repos_count":0.0,"dependent_packages_count":0.0,"stargazers_count":null,"forks_count":null,"docker_downloads_count":null,"average":100},"purl":"pkg:guix/ruby-rails-html-sanitizer","advisories":[],"docker_usage_url":"https://docker.ecosyste.ms/usage/guix/ruby-rails-html-sanitizer","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/guix/ruby-rails-html-sanitizer","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/guix/ruby-rails-html-sanitizer/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":{"last_synced_at":"2026-02-27T05:02:13.625Z","issues_count":47,"pull_requests_count":133,"avg_time_to_close_issue":19457960.85365854,"avg_time_to_close_pull_request":1837195.9674796748,"issues_closed_count":41,"pull_requests_closed_count":123,"pull_request_authors_count":47,"issue_authors_count":42,"avg_comments_per_issue":4.085106382978723,"avg_comments_per_pull_request":1.1052631578947367,"merged_pull_requests_count":95,"bot_issues_count":0,"bot_pull_requests_count":22,"past_year_issues_count":2,"past_year_pull_requests_count":20,"past_year_avg_time_to_close_issue":null,"past_year_avg_time_to_close_pull_request":1117208.8125,"past_year_issues_closed_count":0,"past_year_pull_requests_closed_count":16,"past_year_pull_request_authors_count":4,"past_year_issue_authors_count":2,"past_year_avg_comments_per_issue":0.0,"past_year_avg_comments_per_pull_request":0.6,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":13,"past_year_merged_pull_requests_count":14,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/issues","maintainers":[{"login":"flavorjones","count":53,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/flavorjones"},{"login":"akhilgkrishnan","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/akhilgkrishnan"},{"login":"amatsuda","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/amatsuda"}],"active_maintainers":[{"login":"flavorjones","count":5,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/flavorjones"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/guix/packages/ruby-rails-html-sanitizer/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/guix/packages/ruby-rails-html-sanitizer/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/guix/packages/ruby-rails-html-sanitizer/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/guix/packages/ruby-rails-html-sanitizer/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/guix/packages/ruby-rails-html-sanitizer/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/guix/packages/ruby-rails-html-sanitizer/codemeta","maintainers":[],"registry":{"name":"guix","url":"https://guix.gnu.org","ecosystem":"guix","default":true,"packages_count":31315,"maintainers_count":0,"namespaces_count":0,"keywords_count":1627,"github":"guix-mirror","metadata":{"funded_packages_count":352},"icon_url":"https://github.com/guix-mirror.png","created_at":"2026-03-02T16:23:46.981Z","updated_at":"2026-05-07T05:00:22.550Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/guix/packages","maintainers_url":"https://packages.ecosyste.ms/api/v1/registries/guix/maintainers","namespaces_url":"https://packages.ecosyste.ms/api/v1/registries/guix/namespaces"}},{"id":8614662,"name":"github.com/rails/rails-html-sanitizer","ecosystem":"go","description":null,"homepage":null,"licenses":"mit","normalized_licenses":["MIT"],"repository_url":"https://github.com/rails/rails-html-sanitizer","keywords_array":[],"namespace":null,"versions_count":18,"first_release_published_at":"2023-12-02T02:14:52.833Z","latest_release_published_at":"2026-02-24T18:45:07.000Z","latest_release_number":"v1.7.0","last_synced_at":"2026-05-13T18:46:01.347Z","created_at":"2023-12-02T02:14:48.140Z","updated_at":"2026-05-13T18:46:01.347Z","registry_url":"https://pkg.go.dev/github.com/rails/rails-html-sanitizer","install_command":"go get github.com/rails/rails-html-sanitizer","documentation_url":"https://pkg.go.dev/github.com/rails/rails-html-sanitizer#section-documentation","metadata":{},"repo_metadata":{"id":10807221,"uuid":"13080550","full_name":"rails/rails-html-sanitizer","owner":"rails","description":null,"archived":false,"fork":false,"pushed_at":"2025-10-10T18:40:54.000Z","size":396,"stargazers_count":326,"open_issues_count":11,"forks_count":86,"subscribers_count":22,"default_branch":"main","last_synced_at":"2025-12-30T01:27:49.760Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rails.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"MIT-LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2013-09-25T00:54:20.000Z","updated_at":"2025-12-25T07:10:08.000Z","dependencies_parsed_at":"2023-12-02T02:14:53.855Z","dependency_job_id":"9a9117be-2d10-4434-93d8-c22c2b90a76c","html_url":"https://github.com/rails/rails-html-sanitizer","commit_stats":{"total_commits":234,"total_committers":34,"mean_commits":6.882352941176471,"dds":0.5726495726495726,"last_synced_commit":"08e39d99059c1179efd5e50fdb3bc60a262973f8"},"previous_names":["rafaelfranca/rails-html-sanitizer"],"tags_count":19,"template":false,"template_full_name":null,"purl":"pkg:github/rails/rails-html-sanitizer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/sbom","scorecard":{"id":759289,"data":{"date":"2025-08-11","repo":{"name":"github.com/rails/rails-html-sanitizer","commit":"c7ab9f2f52b403dfd7fcfb99c4fe1a42f0a91549"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.7,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":0,"reason":"Found 0/15 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":1,"reason":"2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: MIT-LICENSE:0","Info: FSF or OSI recognized license: MIT License: MIT-LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 18 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-353f-x4gh-cqq8","Warn: Project is vulnerable to: GHSA-5w6v-399v-w3cc"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T22:49:30.398Z","repository_id":10807221,"created_at":"2025-08-22T22:49:30.398Z","updated_at":"2025-08-22T22:49:30.398Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28143876,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-12-31T02:00:06.200Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"rails","name":"Ruby on Rails","uuid":"4223","kind":"organization","description":"","email":null,"website":"https://rubyonrails.org/","location":null,"twitter":null,"company":null,"icon_url":"https://avatars.githubusercontent.com/u/4223?v=4","repositories_count":116,"last_synced_at":"2023-04-09T03:40:20.529Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/rails","funding_links":[],"total_stars":114333,"followers":null,"following":null,"created_at":"2022-11-02T16:17:13.297Z","updated_at":"2023-04-09T03:40:20.550Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails/repositories"},"tags":[{"name":"v1.6.2","sha":"9160d49020b57828ea536ffedc9cac8fef98ee59","kind":"commit","published_at":"2024-12-12T20:59:07.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.2","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.2","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.2/manifests"},{"name":"v1.6.1","sha":"5e96b19bbb934284e675109851bd82429622bb6e","kind":"commit","published_at":"2024-12-02T20:50:58.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.1/manifests"},{"name":"v1.6.0","sha":"19fd6cd66f31316642e758bf01a410f3fd128f42","kind":"commit","published_at":"2023-05-26T13:20:28.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0/manifests"},{"name":"v1.6.0.rc2","sha":"3b31be5adbf1a351d3acd2527aaa687978caee81","kind":"commit","published_at":"2023-05-24T21:18:26.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.0.rc2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.0.rc2","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.0.rc2","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc2/manifests"},{"name":"v1.6.0.rc1","sha":"5419017d38a5544f8bffd8b23ea67862e4350215","kind":"commit","published_at":"2023-05-24T16:19:29.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.0.rc1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.0.rc1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.0.rc1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc1/manifests"},{"name":"v1.5.0","sha":"a337ec8a348b15a5ae52c5698cbf38dbc50bf34d","kind":"commit","published_at":"2023-01-20T18:52:01.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.5.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.5.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.5.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.5.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.5.0/manifests"},{"name":"v1.4.4","sha":"fd63deaeb22e601237d4d4d12014e7ebd410ea9b","kind":"commit","published_at":"2022-12-12T22:43:11.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.4","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.4","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.4","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.4/manifests"},{"name":"v1.4.3","sha":"f83f08c81a3a33ce0fb1c379933c416ae80672fa","kind":"commit","published_at":"2022-06-09T22:23:09.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.3","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.3","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.3","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.3/manifests"},{"name":"v1.4.2","sha":"c86fed1dedb5380a4e46df5b4e8ee2904eac369d","kind":"commit","published_at":"2021-08-24T00:15:05.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.2","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.2","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.2/manifests"},{"name":"v1.4.1","sha":"b41bc7a9d04190d4237aa263c9a2ff70afbcc5bf","kind":"commit","published_at":"2021-08-18T20:51:54.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.1/manifests"},{"name":"v1.4.0","sha":"2e9ec19859c03c15c912732e5528ea0e8a7326da","kind":"commit","published_at":"2021-08-18T17:10:27.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.0/manifests"},{"name":"v1.3.0","sha":"51dc564c6509201070f72456bb2c13f87bb373d6","kind":"commit","published_at":"2019-10-06T15:12:45.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.3.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.3.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.3.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.3.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.3.0/manifests"},{"name":"v1.2.0","sha":"b8ea80d5f840a834a808a2171df3ada524b2a010","kind":"tag","published_at":"2019-08-08T22:04:05.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.2.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.2.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.2.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.2.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.2.0/manifests"},{"name":"v1.1.0","sha":"df0c946aa0c1913e9b8e94be96da59fb57ec9d67","kind":"tag","published_at":"2019-08-05T01:14:03.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.1.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.1.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.1.0/manifests"},{"name":"v1.0.4","sha":"53bf066ac3a163546a9c7c44c30998c21068c42d","kind":"tag","published_at":"2018-03-22T19:03:40.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.4","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.4","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.4","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.4/manifests"},{"name":"v1.0.3","sha":"5c4354db7524b1df891df0a3e29877ce9f7575ca","kind":"tag","published_at":"2016-01-25T18:28:49.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.3","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.3","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.3","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.3/manifests"},{"name":"v1.0.2","sha":"4f0f7810fce6c8aa63de07a40d69d6027a30acaf","kind":"tag","published_at":"2015-03-06T23:41:30.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.2","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.2","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.2/manifests"},{"name":"v1.0.1","sha":"6b14d6a9e11b58253337df95f2b699665cf8b463","kind":"tag","published_at":"2014-09-25T16:05:46.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.1/manifests"},{"name":"v1.0.0","sha":"71d89f668ee103b8a8422155ac61fe9f0754946d","kind":"tag","published_at":"2014-08-19T19:46:56.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.0/manifests"}]},"repo_metadata_updated_at":"2026-01-02T06:36:41.569Z","dependent_packages_count":0,"downloads":null,"downloads_period":null,"dependent_repos_count":0,"rankings":{"downloads":null,"dependent_repos_count":10.801592556016239,"dependent_packages_count":9.575730298247606,"stargazers_count":3.2441711545052416,"forks_count":2.5944839212321713,"docker_downloads_count":null,"average":6.553994482500315},"purl":"pkg:golang/github.com/rails/rails-html-sanitizer","advisories":[],"docker_usage_url":"https://docker.ecosyste.ms/usage/go/github.com/rails/rails-html-sanitizer","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/go/github.com/rails/rails-html-sanitizer","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/go/github.com/rails/rails-html-sanitizer/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":{"last_synced_at":"2025-12-31T00:01:03.270Z","issues_count":47,"pull_requests_count":131,"avg_time_to_close_issue":19457960.85365854,"avg_time_to_close_pull_request":1746126.1404958677,"issues_closed_count":41,"pull_requests_closed_count":121,"pull_request_authors_count":46,"issue_authors_count":42,"avg_comments_per_issue":4.085106382978723,"avg_comments_per_pull_request":1.0916030534351144,"merged_pull_requests_count":95,"bot_issues_count":0,"bot_pull_requests_count":21,"past_year_issues_count":2,"past_year_pull_requests_count":20,"past_year_avg_time_to_close_issue":null,"past_year_avg_time_to_close_pull_request":216783.26666666666,"past_year_issues_closed_count":0,"past_year_pull_requests_closed_count":15,"past_year_pull_request_authors_count":3,"past_year_issue_authors_count":2,"past_year_avg_comments_per_issue":0.0,"past_year_avg_comments_per_pull_request":0.4,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":14,"past_year_merged_pull_requests_count":15,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/issues","maintainers":[{"login":"flavorjones","count":53,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/flavorjones"},{"login":"akhilgkrishnan","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/akhilgkrishnan"},{"login":"amatsuda","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/amatsuda"}],"active_maintainers":[{"login":"flavorjones","count":5,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/flavorjones"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Frails%2Frails-html-sanitizer/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Frails%2Frails-html-sanitizer/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Frails%2Frails-html-sanitizer/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Frails%2Frails-html-sanitizer/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Frails%2Frails-html-sanitizer/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Frails%2Frails-html-sanitizer/codemeta","maintainers":[],"registry":{"name":"proxy.golang.org","url":"https://proxy.golang.org","ecosystem":"go","default":true,"packages_count":2139187,"maintainers_count":0,"namespaces_count":782439,"keywords_count":112823,"github":"golang","metadata":{"funded_packages_count":53495},"icon_url":"https://github.com/golang.png","created_at":"2022-04-04T15:19:22.939Z","updated_at":"2026-04-19T05:14:45.920Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages","maintainers_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/maintainers","namespaces_url":"https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/namespaces"}},{"id":13669402,"name":"ruby-rails-html-sanitizer","ecosystem":"debian","description":null,"homepage":"https://github.com/rails/rails-html-sanitizer","licenses":null,"normalized_licenses":[],"repository_url":"https://github.com/rails/rails-html-sanitizer","keywords_array":["misc"],"namespace":"main","versions_count":1,"first_release_published_at":"2026-02-12T12:40:37.168Z","latest_release_published_at":"2026-02-12T12:40:37.168Z","latest_release_number":"1.6.2-1","last_synced_at":"2026-03-14T18:11:06.336Z","created_at":"2026-02-12T12:40:36.958Z","updated_at":"2026-03-14T18:11:06.336Z","registry_url":"https://tracker.debian.org/pkg/ruby-rails-html-sanitizer","install_command":"apt-get install ruby-rails-html-sanitizer","documentation_url":"https://packages.debian.org/trixie/ruby-rails-html-sanitizer","metadata":{"component":"main","architecture":"all","priority":"optional","binary":"ruby-rails-html-sanitizer","standards_version":"4.7.0","maintainer":"Debian Ruby Team \u003cpkg-ruby-extras-maintainers@lists.alioth.debian.org\u003e","build_depends":"debhelper-compat (= 13), gem2deb (\u003e= 1), rake, ruby-loofah (\u003e= 2.21), ruby-nokogiri (\u003e= 1.17~)","build_depends_indep":null,"build_depends_arch":null},"repo_metadata":{},"repo_metadata_updated_at":"2026-02-12T12:40:37.225Z","dependent_packages_count":0,"downloads":null,"downloads_period":null,"dependent_repos_count":0,"rankings":{"downloads":null,"dependent_repos_count":0.0,"dependent_packages_count":0.0,"stargazers_count":null,"forks_count":null,"docker_downloads_count":null,"average":100},"purl":"pkg:deb/debian/ruby-rails-html-sanitizer?arch=source\u0026distro=debian-13\u0026repository_url=https://packages.debian.org/trixie","advisories":[],"docker_usage_url":"https://docker.ecosyste.ms/usage/debian/ruby-rails-html-sanitizer","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/debian/ruby-rails-html-sanitizer","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/debian/ruby-rails-html-sanitizer/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":null,"versions_url":"https://packages.ecosyste.ms/api/v1/registries/debian-13/packages/ruby-rails-html-sanitizer/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/debian-13/packages/ruby-rails-html-sanitizer/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/debian-13/packages/ruby-rails-html-sanitizer/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/debian-13/packages/ruby-rails-html-sanitizer/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/debian-13/packages/ruby-rails-html-sanitizer/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/debian-13/packages/ruby-rails-html-sanitizer/codemeta","maintainers":[],"registry":{"name":"debian-13","url":"https://packages.debian.org/trixie","ecosystem":"debian","default":false,"packages_count":38024,"maintainers_count":0,"namespaces_count":4,"keywords_count":0,"github":"debian","metadata":{"codename":"trixie"},"icon_url":"https://github.com/debian.png","created_at":"2026-02-04T11:01:50.448Z","updated_at":"2026-04-27T18:20:39.853Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/debian-13/packages","maintainers_url":"https://packages.ecosyste.ms/api/v1/registries/debian-13/maintainers","namespaces_url":"https://packages.ecosyste.ms/api/v1/registries/debian-13/namespaces"}},{"id":12303701,"name":"rails-html-sanitizer","ecosystem":"rubygems","description":"HTML sanitization for Rails applications","homepage":"https://github.com/rails/rails-html-sanitizer","licenses":"MIT","normalized_licenses":["MIT"],"repository_url":"https://github.com/rails/rails-html-sanitizer","keywords_array":[],"namespace":null,"versions_count":20,"first_release_published_at":"2014-08-19T19:47:15.038Z","latest_release_published_at":"2026-02-24T18:46:02.899Z","latest_release_number":"1.7.0","last_synced_at":"2026-05-14T07:31:09.272Z","created_at":"2025-10-07T05:15:55.950Z","updated_at":"2026-05-14T07:33:27.659Z","registry_url":"https://gem.coop/gems/rails-html-sanitizer","install_command":"gem install rails-html-sanitizer -s https://gem.coop","documentation_url":"http://www.rubydoc.info/gems/rails-html-sanitizer/","metadata":{"funding":null},"repo_metadata":{"id":10807221,"uuid":"13080550","full_name":"rails/rails-html-sanitizer","owner":"rails","description":null,"archived":false,"fork":false,"pushed_at":"2026-02-24T18:45:50.000Z","size":399,"stargazers_count":330,"open_issues_count":9,"forks_count":86,"subscribers_count":21,"default_branch":"main","last_synced_at":"2026-04-25T10:05:41.212Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rails.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"MIT-LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2013-09-25T00:54:20.000Z","updated_at":"2026-04-23T20:52:52.000Z","dependencies_parsed_at":"2023-12-02T02:14:53.855Z","dependency_job_id":"9a9117be-2d10-4434-93d8-c22c2b90a76c","html_url":"https://github.com/rails/rails-html-sanitizer","commit_stats":{"total_commits":234,"total_committers":34,"mean_commits":6.882352941176471,"dds":0.5726495726495726,"last_synced_commit":"08e39d99059c1179efd5e50fdb3bc60a262973f8"},"previous_names":["rafaelfranca/rails-html-sanitizer"],"tags_count":20,"template":false,"template_full_name":null,"purl":"pkg:github/rails/rails-html-sanitizer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/sbom","scorecard":{"id":759289,"data":{"date":"2025-08-11","repo":{"name":"github.com/rails/rails-html-sanitizer","commit":"c7ab9f2f52b403dfd7fcfb99c4fe1a42f0a91549"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.7,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":0,"reason":"Found 0/15 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Maintained","score":1,"reason":"2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/rails/rails-html-sanitizer/ci.yml/main?enable=pin","Info:   0 out of   3 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   3 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: MIT-LICENSE:0","Info: FSF or OSI recognized license: MIT License: MIT-LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 18 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":8,"reason":"2 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-353f-x4gh-cqq8","Warn: Project is vulnerable to: GHSA-5w6v-399v-w3cc"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T22:49:30.398Z","repository_id":10807221,"created_at":"2025-08-22T22:49:30.398Z","updated_at":"2025-08-22T22:49:30.398Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32375961,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-28T09:24:15.638Z","status":"ssl_error","status_checked_at":"2026-04-28T09:24:15.071Z","response_time":56,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"rails","name":"Ruby on Rails","uuid":"4223","kind":"organization","description":"","email":null,"website":"https://rubyonrails.org/","location":null,"twitter":null,"company":null,"icon_url":"https://avatars.githubusercontent.com/u/4223?v=4","repositories_count":116,"last_synced_at":"2023-04-09T03:40:20.529Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/rails","funding_links":[],"total_stars":114333,"followers":null,"following":null,"created_at":"2022-11-02T16:17:13.297Z","updated_at":"2023-04-09T03:40:20.550Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rails/repositories"},"tags":[{"name":"v1.7.0","sha":"a8a04134d77f765a166188ef0850369adb6686ab","kind":"commit","published_at":"2026-02-24T18:45:07.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.7.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.7.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.7.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.7.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.7.0/manifests"},{"name":"v1.6.2","sha":"9160d49020b57828ea536ffedc9cac8fef98ee59","kind":"commit","published_at":"2024-12-12T20:59:07.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.2","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.2","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.2/manifests"},{"name":"v1.6.1","sha":"5e96b19bbb934284e675109851bd82429622bb6e","kind":"commit","published_at":"2024-12-02T20:50:58.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.1/manifests"},{"name":"v1.6.0","sha":"19fd6cd66f31316642e758bf01a410f3fd128f42","kind":"commit","published_at":"2023-05-26T13:20:28.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0/manifests"},{"name":"v1.6.0.rc2","sha":"3b31be5adbf1a351d3acd2527aaa687978caee81","kind":"commit","published_at":"2023-05-24T21:18:26.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.0.rc2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.0.rc2","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.0.rc2","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc2/manifests"},{"name":"v1.6.0.rc1","sha":"5419017d38a5544f8bffd8b23ea67862e4350215","kind":"commit","published_at":"2023-05-24T16:19:29.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.6.0.rc1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.6.0.rc1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.6.0.rc1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.6.0.rc1/manifests"},{"name":"v1.5.0","sha":"a337ec8a348b15a5ae52c5698cbf38dbc50bf34d","kind":"commit","published_at":"2023-01-20T18:52:01.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.5.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.5.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.5.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.5.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.5.0/manifests"},{"name":"v1.4.4","sha":"fd63deaeb22e601237d4d4d12014e7ebd410ea9b","kind":"commit","published_at":"2022-12-12T22:43:11.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.4","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.4","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.4","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.4/manifests"},{"name":"v1.4.3","sha":"f83f08c81a3a33ce0fb1c379933c416ae80672fa","kind":"commit","published_at":"2022-06-09T22:23:09.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.3","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.3","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.3","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.3/manifests"},{"name":"v1.4.2","sha":"c86fed1dedb5380a4e46df5b4e8ee2904eac369d","kind":"commit","published_at":"2021-08-24T00:15:05.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.2","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.2","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.2/manifests"},{"name":"v1.4.1","sha":"b41bc7a9d04190d4237aa263c9a2ff70afbcc5bf","kind":"commit","published_at":"2021-08-18T20:51:54.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.1/manifests"},{"name":"v1.4.0","sha":"2e9ec19859c03c15c912732e5528ea0e8a7326da","kind":"commit","published_at":"2021-08-18T17:10:27.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.4.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.4.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.4.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.4.0/manifests"},{"name":"v1.3.0","sha":"51dc564c6509201070f72456bb2c13f87bb373d6","kind":"commit","published_at":"2019-10-06T15:12:45.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.3.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.3.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.3.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.3.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.3.0/manifests"},{"name":"v1.2.0","sha":"b8ea80d5f840a834a808a2171df3ada524b2a010","kind":"tag","published_at":"2019-08-08T22:04:05.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.2.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.2.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.2.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.2.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.2.0/manifests"},{"name":"v1.1.0","sha":"df0c946aa0c1913e9b8e94be96da59fb57ec9d67","kind":"tag","published_at":"2019-08-05T01:14:03.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.1.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.1.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.1.0/manifests"},{"name":"v1.0.4","sha":"53bf066ac3a163546a9c7c44c30998c21068c42d","kind":"tag","published_at":"2018-03-22T19:03:40.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.4","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.4","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.4","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.4/manifests"},{"name":"v1.0.3","sha":"5c4354db7524b1df891df0a3e29877ce9f7575ca","kind":"tag","published_at":"2016-01-25T18:28:49.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.3","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.3","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.3","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.3/manifests"},{"name":"v1.0.2","sha":"4f0f7810fce6c8aa63de07a40d69d6027a30acaf","kind":"tag","published_at":"2015-03-06T23:41:30.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.2","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.2","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.2","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.2/manifests"},{"name":"v1.0.1","sha":"6b14d6a9e11b58253337df95f2b699665cf8b463","kind":"tag","published_at":"2014-09-25T16:05:46.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.1","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.1","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.1","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.1/manifests"},{"name":"v1.0.0","sha":"71d89f668ee103b8a8422155ac61fe9f0754946d","kind":"tag","published_at":"2014-08-19T19:46:56.000Z","download_url":"https://codeload.github.com/rails/rails-html-sanitizer/tar.gz/v1.0.0","html_url":"https://github.com/rails/rails-html-sanitizer/releases/tag/v1.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"purl":"pkg:github/rails/rails-html-sanitizer@v1.0.0","tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/tags/v1.0.0/manifests"}]},"repo_metadata_updated_at":"2026-05-14T07:33:27.627Z","dependent_packages_count":0,"downloads":658857563,"downloads_period":"total","dependent_repos_count":0,"rankings":{"downloads":0.030816640986132512,"dependent_repos_count":0.0,"dependent_packages_count":0.0,"stargazers_count":null,"forks_count":null,"docker_downloads_count":null,"average":0.01027221366204417},"purl":"pkg:gem/rails-html-sanitizer?repository_url=https://gem.coop","advisories":[{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXI5YzItY3IzOS1jOGc2","url":"https://github.com/advisories/GHSA-r9c2-cr39-c8g6","title":"rails-html-sanitizer Cross-site Scripting vulnerability","description":"Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the `Rails::Html::FullSanitizer` class.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2017-10-24T18:33:36.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7579","https://github.com/rails/rails-html-sanitizer/commit/49dfc1584c5b8e35a4ffabf8356ba3df025e8d3f","https://groups.google.com/forum/message/raw?msg=ruby-security-ann/OU9ugTZcbjc/uksRkSxZEgAJ","http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html","http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html","http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html","http://www.openwall.com/lists/oss-security/2016/01/25/12","https://web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816","https://github.com/advisories/GHSA-r9c2-cr39-c8g6"],"source_kind":"github","identifiers":["GHSA-r9c2-cr39-c8g6","CVE-2015-7579"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:13:39.175Z","updated_at":"2023-01-24T14:56:24.000Z","epss_percentage":0.00166,"epss_percentile":0.38251,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2"],"unaffected_versions":["1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS1yeHY1LWd4cWMteHg4Z84ABB_x","url":"https://github.com/advisories/GHSA-rxv5-gxqc-xx8g","title":"rails-html-sanitizer has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"noscript\" element is explicitly allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow all of these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"noscript\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"noscript\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"noscript\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"noscript\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"noscript\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include \"noscript\" should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"noscript\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2509647\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T22:18:27.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rxv5-gxqc-xx8g","https://nvd.nist.gov/vuln/detail/CVE-2024-53989","https://github.com/rails/rails-html-sanitizer/commit/16251735e36ebdc302e2f90f2a39cad56879414f","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53989.yml","https://github.com/advisories/GHSA-rxv5-gxqc-xx8g"],"source_kind":"github","identifiers":["GHSA-rxv5-gxqc-xx8g","CVE-2024-53989"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T23:06:49.936Z","updated_at":"2024-12-03T18:50:36.000Z","epss_percentage":0.0024,"epss_percentile":0.47196,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":[],"unaffected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS02MzhqLXBtanctanE0OM4ABB_s","url":"https://github.com/advisories/GHSA-638j-pmjw-jq48","title":"rails-html-sanitizer has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"math\" and \"style\" elements are both explicitly allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"style\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"style\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"style\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"style\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include both \"math\" and \"style\" should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"math\" or \"style\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2519941\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T21:48:24.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-638j-pmjw-jq48","https://nvd.nist.gov/vuln/detail/CVE-2024-53986","https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53986.yml","https://github.com/advisories/GHSA-638j-pmjw-jq48"],"source_kind":"github","identifiers":["GHSA-638j-pmjw-jq48","CVE-2024-53986"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T22:07:14.065Z","updated_at":"2024-12-03T18:50:31.000Z","epss_percentage":0.0024,"epss_percentile":0.47196,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":[],"unaffected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB4M3Itam05Zy1jOHc4","url":"https://github.com/advisories/GHSA-px3r-jm9g-c8w8","title":"rails-html-sanitizer Cross-site Scripting vulnerability","description":"There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-8048 in Loofah. All users running an affected release should either upgrade or use one of the workarounds immediately.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2018-04-26T15:41:10.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2018-3741","https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae","https://github.com/advisories/GHSA-px3r-jm9g-c8w8"],"source_kind":"github","identifiers":["GHSA-px3r-jm9g-c8w8","CVE-2018-3741"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:13:37.288Z","updated_at":"2023-03-01T18:54:08.000Z","epss_percentage":0.00476,"epss_percentile":0.64064,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.4","vulnerable_version_range":"\u003c 1.0.4"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2","1.0.3"],"unaffected_versions":["1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdocW0tcGd4ai0zN2dx","url":"https://github.com/advisories/GHSA-ghqm-pgxj-37gq","title":"rails-html-sanitizer Cross-site Scripting vulnerability","description":"Cross-site scripting (XSS) vulnerability in `lib/rails/html/scrubbers.rb` in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2017-10-24T18:33:36.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7580","https://github.com/rails/rails-html-sanitizer/commit/63903b0eaa6d2a4e1c91bc86008256c4c8335e78","https://groups.google.com/forum/message/raw?msg=rubyonrails-security/uh--W4TDwmI/m_CVZtdbFQAJ","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html","http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html","http://www.openwall.com/lists/oss-security/2016/01/25/15","https://web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816","https://github.com/advisories/GHSA-ghqm-pgxj-37gq"],"source_kind":"github","identifiers":["GHSA-ghqm-pgxj-37gq","CVE-2015-7580"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:13:39.185Z","updated_at":"2023-01-23T21:16:06.000Z","epss_percentage":0.00193,"epss_percentile":0.41417,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2"],"unaffected_versions":["1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTc3cGMtcTVxNy1xZzlo","url":"https://github.com/advisories/GHSA-77pc-q5q7-qg9h","title":"Moderate severity vulnerability that affects rails-html-sanitizer","description":"Withdrawn, accidental duplicate publish.\r\n\r\nCross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2018-09-17T21:58:30.000Z","withdrawn_at":"2020-06-16T21:21:56.000Z","classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7580","https://github.com/advisories/GHSA-77pc-q5q7-qg9h"],"source_kind":"github","identifiers":["GHSA-77pc-q5q7-qg9h"],"repository_url":null,"blast_radius":0.0,"created_at":"2022-12-21T16:13:36.116Z","updated_at":"2023-01-09T05:02:36.000Z","epss_percentage":null,"epss_percentile":null,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2"],"unaffected_versions":["1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW1yaGotMmc0di0zOXF4","url":"https://github.com/advisories/GHSA-mrhj-2g4v-39qx","title":"Moderate severity vulnerability that affects rails-html-sanitizer","description":"Withdrawn, accidental duplicate publish.\r\n\r\nCross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2018-09-17T21:58:19.000Z","withdrawn_at":"2020-06-16T21:47:07.000Z","classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7579","https://github.com/advisories/GHSA-mrhj-2g4v-39qx"],"source_kind":"github","identifiers":["GHSA-mrhj-2g4v-39qx"],"repository_url":null,"blast_radius":0.0,"created_at":"2022-12-21T16:13:36.125Z","updated_at":"2023-01-09T05:03:22.000Z","epss_percentage":null,"epss_percentile":null,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"= 1.0.2"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":[],"unaffected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFjOGotbThqMy1yanE2","url":"https://github.com/advisories/GHSA-qc8j-m8j3-rjq6","title":"Moderate severity vulnerability that affects rails-html-sanitizer","description":"Withdrawn, accidental duplicate publish.\r\n\r\nCross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2018-09-17T21:57:58.000Z","withdrawn_at":"2020-06-17T15:15:01.000Z","classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7578","https://github.com/advisories/GHSA-qc8j-m8j3-rjq6"],"source_kind":"github","identifiers":["GHSA-qc8j-m8j3-rjq6"],"repository_url":null,"blast_radius":0.0,"created_at":"2022-12-21T16:13:36.134Z","updated_at":"2023-01-09T05:03:18.000Z","epss_percentage":null,"epss_percentile":null,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2"],"unaffected_versions":["1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS0yeDVtLTljaDQtcWdycs4ABB_u","url":"https://github.com/advisories/GHSA-2x5m-9ch4-qgrr","title":"rails-html-sanitizer has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"style\" element is explicitly allowed\n- the \"svg\" or \"math\" element is not allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow all of these elements. Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"style\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"style\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"style\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"style\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include \"style\" and omit \"svg\" or \"math\" should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"style\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2519936\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T21:48:56.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-2x5m-9ch4-qgrr","https://nvd.nist.gov/vuln/detail/CVE-2024-53987","https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53987.yml","https://github.com/advisories/GHSA-2x5m-9ch4-qgrr"],"source_kind":"github","identifiers":["GHSA-2x5m-9ch4-qgrr","CVE-2024-53987"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T22:07:13.966Z","updated_at":"2024-12-03T18:50:33.000Z","epss_percentage":0.0024,"epss_percentile":0.47196,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":[],"unaffected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS13OGdjLXgyNTktcmM3eM4ABB_r","url":"https://github.com/advisories/GHSA-w8gc-x259-rc7x","title":"rails-html-sanitize has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0 and Nokogiri \u003c 1.15.7, or 1.16.x \u003c 1.16.8.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\nPlease note that the fix in v1.6.1 is to update the dependency on Nokogiri to 1.15.7 or \u003e= 1.16.8.\n\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in either of the following ways:\n\n* allow both \"math\" and \"style\" elements\n* or allow both \"svg\" and \"style\" elements\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nCode is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"style\"]\n  # or\n  config.action_view.sanitized_allowed_tags = [\"svg\", \"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"style\"] %\u003e\n  \u003c%# or %\u003e\n  \u003c%= sanitize @comment.body, tags: [\"svg\", \"style\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"style\"]\n  # or\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"svg\", \"style\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"style\"])\n  # or\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"svg\", \"style\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"style\"]\n  # or\n  ActionText::ContentHelper.allowed_tags = [\"svg\", \"style\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include ((\"math\" or \"svg\") and \"style\") should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"style\" from the overridden allowed tags,\n- Or, remove \"math\" and \"svg\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information)\n- Or, independently upgrade Nokogiri to v1.15.7 or \u003e= 1.16.8.\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2503220\n\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T21:48:14.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x","https://nvd.nist.gov/vuln/detail/CVE-2024-53985","https://github.com/rails/rails-html-sanitizer/commit/b0220b8850d52199a15f83c472d175a4122dd7b1","https://github.com/rails/rails-html-sanitizer/commit/cd18b0ef00aad1d4a9e1c5d860cd23f80f63c505","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53985.yml","https://github.com/advisories/GHSA-w8gc-x259-rc7x"],"source_kind":"github","identifiers":["GHSA-w8gc-x259-rc7x","CVE-2024-53985"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T22:07:14.111Z","updated_at":"2024-12-03T18:50:30.000Z","epss_percentage":0.00333,"epss_percentile":0.55582,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":[],"unaffected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS1jZmp4LXcyMjktaGd4Nc4ABB_t","url":"https://github.com/advisories/GHSA-cfjx-w229-hgx5","title":"rails-html-sanitizer has XSS vulnerability with certain configurations","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails \u003e= 7.1.0.\n\n* Versions affected: 1.6.0\n* Not affected: \u003c 1.6.0\n* Fixed versions: 1.6.1\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags in the following way:\n\n- the \"math\", \"mtext\", \"table\", and \"style\" elements are allowed\n- and either \"mglyph\" or \"malignmark\" are allowed\n\nCode is only impacted if Rails is configured to use HTML5 sanitization, please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information on these configuration options.\n\nThe default configuration is to disallow all of these elements except for \"table\". Code is only impacted if allowed tags are being overridden. Applications may be doing this in a few different ways:\n\n1. using application configuration to configure Action View sanitizers' allowed tags:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"]\n  # or\n  config.action_view.sanitized_allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"] %\u003e\n  \u003c%# or %\u003e\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:\n\n  ```ruby\n  # class-level option\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"]\n  # or\n  Rails::HTML5::SafeListSanitizer.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"]\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"])\n  # or\n  Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"])\n  ```\n\n  (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)\n\n5. setting ActionText::ContentHelper module attribute `allowed_tags`:\n\n  ```ruby\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"mglyph\"]\n  # or\n  ActionText::ContentHelper.allowed_tags = [\"math\", \"mtext\", \"table\", \"style\", \"malignmark\"]\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include (\"math\" and \"mtext\" and \"table\" and \"style\" and (\"mglyph\" or \"malignmark\")) should either upgrade or use one of the workarounds.\n\n\n## Workarounds\n\nAny one of the following actions will work around this issue:\n\n- Remove \"mglyph\" and \"malignmark\" from the overridden allowed tags,\n- Or, downgrade sanitization to HTML4 (see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor) and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor) for more information).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- Original report: https://hackerone.com/reports/2519936\n\n## Credit\n\nThis vulnerability was responsibly reported by So Sakaguchi ([mokusou](https://hackerone.com/mokusou)) and [taise](https://hackerone.com/taise).\n","origin":"UNSPECIFIED","severity":"LOW","published_at":"2024-12-02T21:48:42.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":2.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N","references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5","https://nvd.nist.gov/vuln/detail/CVE-2024-53988","https://github.com/rails/rails-html-sanitizer/commit/a0a3e8b76b696446ffc6bffcff3bc7b7c6393c72","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2024-53988.yml","https://github.com/advisories/GHSA-cfjx-w229-hgx5"],"source_kind":"github","identifiers":["GHSA-cfjx-w229-hgx5","CVE-2024-53988"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":13.142771381445126,"created_at":"2024-12-02T22:07:14.020Z","updated_at":"2024-12-03T18:50:34.000Z","epss_percentage":0.0024,"epss_percentile":0.47196,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.6.1","vulnerable_version_range":"= 1.6.0"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":[],"unaffected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS01eDc5LXc4MmYtZ3c4d84AAwSf","url":"https://github.com/advisories/GHSA-5x79-w82f-gw8w","title":"Inefficient Regular Expression Complexity in rails-html-sanitizer","description":"## Summary\n\nCertain configurations of rails-html-sanitizer `\u003c 1.4.4` use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.\n\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `\u003e= 1.4.4`.\n\n\n## Severity\n\nThe maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).\n\n\n## References\n\n- [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html)\n- https://hackerone.com/reports/1684163\n\n\n## Credit\n\nThis vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2022-12-13T17:43:02.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w","https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979","https://hackerone.com/reports/1684163","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23517.yml","https://nvd.nist.gov/vuln/detail/CVE-2022-23517","https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://github.com/advisories/GHSA-5x79-w82f-gw8w"],"source_kind":"github","identifiers":["GHSA-5x79-w82f-gw8w","CVE-2022-23517"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:11:45.416Z","updated_at":"2025-11-04T16:41:25.000Z","epss_percentage":0.00263,"epss_percentile":0.49561,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.4","vulnerable_version_range":"\u003c 1.4.4"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3"],"unaffected_versions":["1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS1tY3ZmLTJxMm0teDcybc4AAwSg","url":"https://github.com/advisories/GHSA-mcvf-2q2m-x72m","title":"Improper neutralization of data URIs may allow XSS in rails-html-sanitizer","description":"## Summary\n\nrails-html-sanitizer `\u003e= 1.0.3, \u003c 1.4.4` is vulnerable to cross-site scripting via data URIs when used in combination with Loofah `\u003e= 2.1.0`.\n\n\n## Mitigation\n\nUpgrade to rails-html-sanitizer `\u003e= 1.4.4`.\n\n\n## Severity\n\nThe maintainers have evaluated this as [Medium Severity 6.1](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- [SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg](https://github.com/w3c/svgwg/issues/266)\n- https://github.com/rails/rails-html-sanitizer/issues/135\n- https://hackerone.com/reports/1694173\n\n\n## Credit\n\nThis vulnerability was independently reported by Maciej Piechota (@haqpl) and Mrinmoy Das (@goromlagche).","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-12-13T17:45:39.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m","https://github.com/rails/rails-html-sanitizer/issues/135","https://github.com/w3c/svgwg/issues/266","https://hackerone.com/reports/1694173","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23518.yml","https://nvd.nist.gov/vuln/detail/CVE-2022-23518","https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://github.com/advisories/GHSA-mcvf-2q2m-x72m"],"source_kind":"github","identifiers":["GHSA-mcvf-2q2m-x72m","CVE-2022-23518"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:11:45.408Z","updated_at":"2025-11-04T16:41:47.000Z","epss_percentage":0.00277,"epss_percentile":0.50791,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.4","vulnerable_version_range":"\u003e= 1.0.3, \u003c 1.4.4"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3"],"unaffected_versions":["1.0.0","1.0.1","1.0.2","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU5YzctNHhqMi1oZ3Z3","url":"https://github.com/advisories/GHSA-59c7-4xj2-hgvw","title":"rails-html-sanitizer Cross-site Scripting vulnerability","description":"Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2017-10-24T18:33:36.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2015-7578","https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4","https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ","http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html","http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html","http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html","http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html","http://www.openwall.com/lists/oss-security/2016/01/25/11","https://web.archive.org/web/20160128075017/http://www.securitytracker.com/id/1034816","https://github.com/advisories/GHSA-59c7-4xj2-hgvw"],"source_kind":"github","identifiers":["GHSA-59c7-4xj2-hgvw","CVE-2015-7578"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:13:39.165Z","updated_at":"2023-01-23T20:38:11.000Z","epss_percentage":0.00166,"epss_percentile":0.38251,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.0.3","vulnerable_version_range":"\u003c 1.0.3"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2"],"unaffected_versions":["1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS1ycmZjLTdnOHAtOTlxOM4AAwSi","url":"https://github.com/advisories/GHSA-rrfc-7g8p-99q8","title":"Possible XSS vulnerability with certain configurations of rails-html-sanitizer","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209.\n\n- Versions affected: ALL\n- Not affected: NONE\n- Fixed versions: 1.4.4\n\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both \"select\" and \"style\" elements.\n\nCode is only impacted if allowed tags are being overridden using either of the following two mechanisms:\n\n1. Using the Rails configuration `config.action_view.sanitized_allow_tags=`:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"select\", \"style\"]\n  ```\n\n  (see https://guides.rubyonrails.org/configuring.html#configuring-action-view)\n\n2. Using the class method `Rails::Html::SafeListSanitizer.allowed_tags=`:\n\n  ```ruby\n  # class-level option\n  Rails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]\n  ```\n\nAll users overriding the allowed tags by either of the above mechanisms to include both \"select\" and \"style\" should either upgrade or use one of the workarounds immediately.\n\nNOTE: Code is _not_ impacted if allowed tags are overridden using either of the following mechanisms:\n\n- the `:tags` option to the Action View helper method `sanitize`.\n- the `:tags` option to the instance method `SafeListSanitizer#sanitize`.\n\n\n## Workarounds\n\nRemove either \"select\" or \"style\" from the overridden allowed tags.\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32209\n- https://hackerone.com/reports/1654310\n\n\n## Credit\n\nThis vulnerability was responsibly reported by Dominic Breuker.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-12-13T17:51:40.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8","https://hackerone.com/reports/1654310","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23520.yml","https://nvd.nist.gov/vuln/detail/CVE-2022-23520","https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://github.com/advisories/GHSA-rrfc-7g8p-99q8"],"source_kind":"github","identifiers":["GHSA-rrfc-7g8p-99q8","CVE-2022-23520"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:11:45.390Z","updated_at":"2025-11-04T16:42:29.000Z","epss_percentage":0.00366,"epss_percentile":0.57912,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.4","vulnerable_version_range":"\u003c 1.4.4"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3"],"unaffected_versions":["1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS1wZzh2LWc0eHEtaHd3Oc4AAs-c","url":"https://github.com/advisories/GHSA-pg8v-g4xq-hww9","title":"Rails::Html::Sanitizer vulnerable to Cross-site Scripting","description":"Versions of Rails::Html::Sanitizer prior to version 1.4.3 are vulnerable to XSS with certain configurations of Rails::Html::Sanitizer which  allows an attacker to inject content when the application developer has overridden the sanitizer's allowed tags to allow both `select` and `style` elements. Code is only impacted if allowed tags are being overridden. \n\nThis may be done via application configuration: ```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = [\"select\", \"style\"]```\n\nsee https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\nOr it may be done with a `:tags` option to the Action View helper `sanitize`: ```\u003c%= sanitize @comment.body, tags: [\"select\", \"style\"] %\u003e``` \n\nsee https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize \n\nIt may also be done with Rails::Html::SafeListSanitizer directly: \n```ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = [\"select\", \"style\"]```  or with\n```ruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"select\", \"style\"])```\n\nAll users overriding the allowed tags by any of the above mechanisms to include both \"select\" and \"style\" are recommended to upgrade immediately. A workaround for this issue can be applied by removing either `select` or `style` from the overridden allowed tags.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-06-25T00:00:54.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2022-32209","https://hackerone.com/reports/1530898","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-32209.yml","https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s","https://lists.debian.org/debian-lts-announce/2022/12/msg00012.html","https://github.com/rails/rails-html-sanitizer/commit/45a5c10fed3d9aa141594c80afa06d748fa0967d","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH","https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AGRLWBEB3S5AU3D4TTROIS7O6QPHDTRH","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NHDACMCLWE32BZZTSNWQPIFUAD5I6Q47","https://github.com/advisories/GHSA-pg8v-g4xq-hww9"],"source_kind":"github","identifiers":["GHSA-pg8v-g4xq-hww9","CVE-2022-32209"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:12:14.237Z","updated_at":"2025-11-04T16:39:38.000Z","epss_percentage":0.05749,"epss_percentile":0.90045,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.3","vulnerable_version_range":"\u003c 1.4.3"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2"],"unaffected_versions":["1.4.3","1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]},{"uuid":"GSA_kwCzR0hTQS05aDlnLTkzZ2MtNjIzaM4AAwSh","url":"https://github.com/advisories/GHSA-9h9g-93gc-623h","title":"Possible XSS vulnerability with certain configurations of rails-html-sanitizer","description":"## Summary\n\nThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.\n\n- Versions affected: ALL\n- Not affected: NONE\n- Fixed versions: 1.4.4\n\n\n## Impact\n\nA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways:\n\n- allow both \"math\" and \"style\" elements,\n- or allow both \"svg\" and \"style\" elements\n\nCode is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways:\n\n1. using application configuration:\n\n  ```ruby\n  # In config/application.rb\n  config.action_view.sanitized_allowed_tags = [\"math\", \"style\"]\n  # or\n  config.action_view.sanitized_allowed_tags = [\"svg\", \"style\"]\n  ```\n\n  see https://guides.rubyonrails.org/configuring.html#configuring-action-view\n\n2. using a `:tags` option to the Action View helper `sanitize`:\n\n  ```\n  \u003c%= sanitize @comment.body, tags: [\"math\", \"style\"] %\u003e\n  \u003c%# or %\u003e\n  \u003c%= sanitize @comment.body, tags: [\"svg\", \"style\"] %\u003e\n  ```\n\n  see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize\n\n3. using Rails::Html::SafeListSanitizer class method `allowed_tags=`:\n\n  ```ruby\n  # class-level option\n  Rails::Html::SafeListSanitizer.allowed_tags = [\"math\", \"style\"]\n  # or\n  Rails::Html::SafeListSanitizer.allowed_tags = [\"svg\", \"style\"]\n  ```\n\n4. using a `:tags` options to the Rails::Html::SafeListSanitizer instance method `sanitize`:\n\n  ```ruby\n  # instance-level option\n  Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"math\", \"style\"])\n  # or\n  Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [\"svg\", \"style\"])\n  ```\n\nAll users overriding the allowed tags by any of the above mechanisms to include ((\"math\" or \"svg\") and \"style\") should either upgrade or use one of the workarounds immediately.\n\n\n## Workarounds\n\nRemove \"style\" from the overridden allowed tags, or remove \"math\" and \"svg\" from the overridden allowed tags.\n\n\n## References\n\n- [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)\n- https://hackerone.com/reports/1656627\n\n\n## Credit\n\nThis vulnerability was responsibly reported by Dominic Breuker.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-12-13T17:50:25.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h","https://hackerone.com/reports/1656627","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23519.yml","https://nvd.nist.gov/vuln/detail/CVE-2022-23519","https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html","https://lists.debian.org/debian-lts-announce/2024/09/msg00045.html","https://github.com/advisories/GHSA-9h9g-93gc-623h"],"source_kind":"github","identifiers":["GHSA-9h9g-93gc-623h","CVE-2022-23519"],"repository_url":"https://github.com/rails/rails-html-sanitizer","blast_radius":0.0,"created_at":"2022-12-21T16:11:45.399Z","updated_at":"2025-11-04T16:42:00.000Z","epss_percentage":0.00152,"epss_percentile":0.36487,"packages":[{"ecosystem":"rubygems","package_name":"rails-html-sanitizer","versions":[{"first_patched_version":"1.4.4","vulnerable_version_range":"\u003c 1.4.4"}],"purl":"pkg:gem/rails-html-sanitizer","statistics":{"dependent_packages_count":32,"dependent_repos_count":517903,"downloads":603107106,"downloads_period":"total"},"affected_versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.1.0","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3"],"unaffected_versions":["1.4.4","1.5.0","1.6.0","1.6.1","1.6.2"]}]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/rubygems/rails-html-sanitizer","docker_dependents_count":1354,"docker_downloads_count":821064172,"usage_url":"https://repos.ecosyste.ms/usage/rubygems/rails-html-sanitizer","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/rubygems/rails-html-sanitizer/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":{"last_synced_at":"2026-05-12T04:32:28.370Z","issues_count":47,"pull_requests_count":134,"avg_time_to_close_issue":19457960.85365854,"avg_time_to_close_pull_request":1837195.9674796748,"issues_closed_count":41,"pull_requests_closed_count":123,"pull_request_authors_count":48,"issue_authors_count":42,"avg_comments_per_issue":4.085106382978723,"avg_comments_per_pull_request":1.0970149253731343,"merged_pull_requests_count":95,"bot_issues_count":0,"bot_pull_requests_count":22,"past_year_issues_count":1,"past_year_pull_requests_count":7,"past_year_avg_time_to_close_issue":null,"past_year_avg_time_to_close_pull_request":3305208.4,"past_year_issues_closed_count":0,"past_year_pull_requests_closed_count":5,"past_year_pull_request_authors_count":3,"past_year_issue_authors_count":1,"past_year_avg_comments_per_issue":0.0,"past_year_avg_comments_per_pull_request":0.5714285714285714,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":5,"past_year_merged_pull_requests_count":3,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/issues","maintainers":[{"login":"flavorjones","count":53,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/flavorjones"},{"login":"akhilgkrishnan","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/akhilgkrishnan"},{"login":"amatsuda","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/amatsuda"}],"active_maintainers":[]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/packages/rails-html-sanitizer/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/packages/rails-html-sanitizer/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/packages/rails-html-sanitizer/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/packages/rails-html-sanitizer/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/packages/rails-html-sanitizer/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/packages/rails-html-sanitizer/codemeta","maintainers":[{"uuid":"207","login":"tenderlove","name":null,"email":null,"url":null,"packages_count":190,"html_url":"https://gem.coop/profiles/tenderlove","role":null,"created_at":"2025-10-08T03:46:14.295Z","updated_at":"2025-10-08T03:46:14.295Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/tenderlove/packages"},{"uuid":"1550","login":"webster132","name":null,"email":null,"url":null,"packages_count":82,"html_url":"https://gem.coop/profiles/webster132","role":null,"created_at":"2025-10-08T03:46:14.079Z","updated_at":"2025-10-08T03:46:14.079Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/webster132/packages"},{"uuid":"43998","login":"guilleiguaran","name":null,"email":null,"url":null,"packages_count":85,"html_url":"https://gem.coop/profiles/guilleiguaran","role":null,"created_at":"2025-10-08T03:46:14.124Z","updated_at":"2025-10-08T03:46:14.124Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/guilleiguaran/packages"},{"uuid":"32977","login":"fxn","name":null,"email":null,"url":null,"packages_count":62,"html_url":"https://gem.coop/profiles/fxn","role":null,"created_at":"2025-10-08T03:46:14.185Z","updated_at":"2025-10-08T03:46:14.185Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/fxn/packages"},{"uuid":"429","login":"cantoniodasilva","name":null,"email":null,"url":null,"packages_count":67,"html_url":"https://gem.coop/profiles/cantoniodasilva","role":null,"created_at":"2025-10-08T03:46:14.235Z","updated_at":"2025-10-08T03:46:14.235Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/cantoniodasilva/packages"},{"uuid":"47349","login":"rafaelfranca","name":null,"email":null,"url":null,"packages_count":107,"html_url":"https://gem.coop/profiles/rafaelfranca","role":null,"created_at":"2025-10-08T03:46:13.987Z","updated_at":"2025-10-08T03:46:13.987Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/rafaelfranca/packages"},{"uuid":"337","login":"jeremydaer","name":null,"email":null,"url":null,"packages_count":63,"html_url":"https://gem.coop/profiles/jeremydaer","role":null,"created_at":"2025-10-08T03:46:14.033Z","updated_at":"2025-10-08T03:46:14.033Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/jeremydaer/packages"},{"uuid":"528","login":"matthewd","name":null,"email":null,"url":null,"packages_count":66,"html_url":"https://gem.coop/profiles/matthewd","role":null,"created_at":"2025-10-08T03:46:14.346Z","updated_at":"2025-10-08T03:46:14.346Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/matthewd/packages"},{"uuid":"96878","login":"eileencodes","name":null,"email":null,"url":null,"packages_count":54,"html_url":"https://gem.coop/profiles/eileencodes","role":null,"created_at":"2025-10-08T03:46:14.396Z","updated_at":"2025-10-08T03:46:14.396Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/eileencodes/packages"},{"uuid":"46413","login":"byroot","name":null,"email":null,"url":null,"packages_count":105,"html_url":"https://gem.coop/profiles/byroot","role":null,"created_at":"2025-10-08T03:46:14.442Z","updated_at":"2025-10-08T03:46:14.442Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/byroot/packages"},{"uuid":"43492","login":"jhawthorn","name":null,"email":null,"url":null,"packages_count":150,"html_url":"https://gem.coop/profiles/jhawthorn","role":null,"created_at":"2025-10-08T03:46:14.489Z","updated_at":"2025-10-08T03:46:14.489Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/jhawthorn/packages"},{"uuid":"54617","login":"kamipo","name":null,"email":null,"url":null,"packages_count":61,"html_url":"https://gem.coop/profiles/kamipo","role":null,"created_at":"2025-10-08T03:46:14.536Z","updated_at":"2025-10-08T03:46:14.536Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/kamipo/packages"},{"uuid":"2583","login":"flavorjones","name":null,"email":null,"url":null,"packages_count":48,"html_url":"https://gem.coop/profiles/flavorjones","role":null,"created_at":"2025-10-08T03:46:13.941Z","updated_at":"2025-10-08T03:46:13.941Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers/flavorjones/packages"}],"registry":{"name":"gem.coop","url":"https://gem.coop","ecosystem":"rubygems","default":false,"packages_count":191797,"maintainers_count":67713,"namespaces_count":0,"keywords_count":0,"github":"gem-coop","metadata":{"funded_packages_count":6507},"icon_url":"https://github.com/gem-coop.png","created_at":"2025-10-06T17:24:20.932Z","updated_at":"2026-04-03T06:45:05.763Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/packages","maintainers_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/maintainers","namespaces_url":"https://packages.ecosyste.ms/api/v1/registries/gem.coop/namespaces"}}],"commits":{"id":19424,"full_name":"rails/rails-html-sanitizer","default_branch":"main","total_commits":243,"total_committers":34,"total_bot_commits":11,"total_bot_committers":1,"mean_commits":7.147058823529412,"dds":0.5802469135802469,"past_year_total_commits":23,"past_year_total_committers":2,"past_year_total_bot_commits":7,"past_year_total_bot_committers":1,"past_year_mean_commits":11.5,"past_year_dds":0.30434782608695654,"last_synced_at":"2025-11-22T07:03:33.676Z","last_synced_commit":"2a8fe8971b02b1b14abb6634e04af4e32b0057cd","created_at":"2023-03-07T11:41:00.271Z","updated_at":"2025-11-22T07:02:54.833Z","committers":[{"name":"Mike Dalessio","email":"mike.dalessio@gmail.com","login":"flavorjones","count":102},{"name":"Timm","email":"kaspth@gmail.com","login":"kaspth","count":51},{"name":"Rafael Mendonça França","email":"rafael.franca@plataformatec.com.br","login":null,"count":21},{"name":"dependabot[bot]","email":"49699333+dependabot[bot]","login":"dependabot[bot]","count":11},{"name":"Juanito Fatas","email":"juanito.fatas@shopify.com","login":null,"count":7},{"name":"Akira Matsuda","email":"ronnie@dio.jp","login":"amatsuda","count":6},{"name":"Rafael Mendonça França","email":"rafaelmfranca@gmail.com","login":"rafaelfranca","count":6},{"name":"Rafael Mendonça França + Kasper Timm Hansen","email":"rafaelmfranca+kaspth@gmail.com","login":null,"count":5},{"name":"Godfrey Chan","email":"godfreykfc@gmail.com","login":"chancancode","count":3},{"name":"Fabian Schwahn","email":"fabian.schwahn@gmail.com","login":"fschwahn","count":3},{"name":"Aaron Patterson","email":"aaron.patterson@gmail.com","login":"tenderlove","count":2},{"name":"Nicolas Leger","email":"nicolasleger","login":"nicolasleger","count":2},{"name":"m-nakamura145","email":"masato.nakamura145@gmail.com","login":"m-nakamura145","count":2},{"name":"seyerian","email":"seyerian@pm.me","login":"seyerian","count":2},{"name":"Akhil G Krishnan","email":"akhilgkrishnan4u@gmail.com","login":"akhilgkrishnan","count":1},{"name":"George Claghorn","email":"george@basecamp.com","login":"georgeclaghorn","count":1},{"name":"Igor Victor","email":"gogainda@yandex.ru","login":"gogainda","count":1},{"name":"yui-knk","email":"spiketeika@gmail.com","login":"yui-knk","count":1},{"name":"rwojnarowski","email":"radziu92@gmail.com","login":"rwojnarowski","count":1},{"name":"maclover7","email":"me@jonathanmoss.me","login":"maclover7","count":1},{"name":"Trevor John","email":"trevor@john.tj","login":"trevorrjohn","count":1},{"name":"Tebs","email":"qatrera@gmail.com","login":"tebs","count":1},{"name":"Sean Doyle","email":"seanpdoyle","login":"seanpdoyle","count":1},{"name":"Robb Shecter","email":"robb@public.law","login":"dogweather","count":1},{"name":"Pavel Valena","email":"pvalena@redhat.com","login":"pvalena","count":1},{"name":"Paul Mesnilgrente","email":"web@paul-mesnilgrente.com","login":"paul-mesnilgrente","count":1},{"name":"Orien Madgwick","email":"_@orien.io","login":"orien","count":1},{"name":"Olle Jonsson","email":"olle.jonsson@gmail.com","login":"olleolleolle","count":1},{"name":"Neo Elit","email":"neo.999networks@gmail.com","login":"NeoElit","count":1},{"name":"Katsuhiko YOSHIDA","email":"claddvd@gmail.com","login":"kyoshidajp","count":1},{"name":"Juanito Fatas","email":"katehuang0320@gmail.com","login":"JuanitoFatas","count":1},{"name":"Josh Goodall","email":"inopinatus@inopinatus.org","login":"inopinatus","count":1},{"name":"John Weir","email":"john.weir@pharos-ei.com","login":"jweir","count":1},{"name":"John Bampton","email":"jbampton@gmail.com","login":"jbampton","count":1}],"past_year_committers":[{"name":"Mike Dalessio","email":"mike.dalessio@gmail.com","login":"flavorjones","count":16},{"name":"dependabot[bot]","email":"49699333+dependabot[bot]","login":"dependabot[bot]","count":7}],"commits_url":"https://commits.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/commits","host":{"name":"GitHub","url":"https://github.com","kind":"github","last_synced_at":"2025-11-22T00:00:11.667Z","repositories_count":6114359,"commits_count":924834066,"contributors_count":36012239,"owners_count":1118531,"icon_url":"https://github.com/github.png","host_url":"https://commits.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://commits.ecosyste.ms/api/v1/hosts/GitHub/repositories"}},"issues":{"table":{"full_name":"rails/rails-html-sanitizer","html_url":"https://github.com/rails/rails-html-sanitizer","last_synced_at":"2025-10-10T23:21:02.117Z","status":"active","issues_count":47,"pull_requests_count":131,"avg_time_to_close_issue":19457960.85365854,"avg_time_to_close_pull_request":1746126.1404958677,"issues_closed_count":41,"pull_requests_closed_count":121,"pull_request_authors_count":46,"issue_authors_count":42,"avg_comments_per_issue":4.085106382978723,"avg_comments_per_pull_request":1.0916030534351144,"merged_pull_requests_count":95,"bot_issues_count":0,"bot_pull_requests_count":21,"past_year_issues_count":3,"past_year_pull_requests_count":29,"past_year_avg_time_to_close_issue":110744.0,"past_year_avg_time_to_close_pull_request":152022.77272727274,"past_year_issues_closed_count":1,"past_year_pull_requests_closed_count":22,"past_year_pull_request_authors_count":5,"past_year_issue_authors_count":3,"past_year_avg_comments_per_issue":1.3333333333333333,"past_year_avg_comments_per_pull_request":0.41379310344827586,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":15,"past_year_merged_pull_requests_count":22,"created_at":"2023-05-12T15:47:20.626Z","updated_at":"2025-10-10T23:21:02.117Z","repository_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer","issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/rails%2Frails-html-sanitizer/issues","issue_labels_count":{"table":{"enhancement":2,"topic/html5":1}},"pull_request_labels_count":{"table":{"dependencies":21,"ruby":10}},"issue_author_associations_count":{"table":{"NONE":41,"MEMBER":4,"CONTRIBUTOR":2}},"pull_request_author_associations_count":{"table":{"MEMBER":52,"CONTRIBUTOR":45,"NONE":34}},"issue_authors":{"table":{"flavorjones":4,"archonic":2,"naitoh":2,"paul-mesnilgrente":1,"vividtone":1,"jorg-vr":1,"jackphelps":1,"moritzhoeppner":1,"mm580486":1,"puneet-sutar":1,"Sim4n6":1,"srecnig":1,"mattt416":1,"goromlagche":1,"Segaja":1,"dmpotter44":1,"nruth":1,"jeremyevans":1,"sobrinho":1,"geor-g":1,"likeuwill":1,"motiko":1,"Zeouterlimits":1,"rodolfobandeira":1,"petebytes":1,"pvalena":1,"dorianmariefr":1,"lephyrius":1,"phearle":1,"tquill":1,"terceiro":1,"CarlosCD":1,"kaspatel-mdsol":1,"boutil":1,"mayesgr":1,"miloprice":1,"Earlopain":1,"yskkin":1,"igorkasyanchuk":1,"ayzahamid":1,"kaoru":1,"stefanosc":1}},"pull_request_authors":{"table":{"flavorjones":49,"dependabot[bot]":21,"JuanitoFatas":6,"m-nakamura145":3,"Earlopain":2,"seyerian":2,"ch4n3-yoon":2,"dogweather":2,"jweir":2,"seanpdoyle":2,"rubyrider":2,"akhilgkrishnan":2,"nacengineer":2,"tongueroo":2,"adrianotadao":1,"hectron":1,"kaspergrubbe":1,"mashedkeyboard":1,"jhottenstein":1,"rodolfobandeira":1,"frederikspang":1,"dylanpinn":1,"jiahuang":1,"joshpencheon":1,"fschwahn":1,"mberrueta":1,"kyoshidajp":1,"inopinatus":1,"nicolasleger":1,"junaruga":1,"tebs":1,"luke-hill":1,"abhaynikam":1,"goromlagche":1,"jeremywrowe":1,"jacobherrington":1,"dLobatog":1,"gogainda":1,"paul-mesnilgrente":1,"trevorrjohn":1,"rwojnarowski":1,"olleolleolle":1,"orien":1,"jbampton":1,"amatsuda":1,"notnmeyer":1}},"host":{"table":{"name":"GitHub","url":"https://github.com","kind":"github","last_synced_at":"2025-10-30T00:00:25.546Z","repositories_count":11263014,"issues_count":35009938,"pull_requests_count":113611200,"authors_count":11042159,"icon_url":"https://github.com/github.png","host_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories","owners_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/owners","authors_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors"}},"past_year_issue_labels_count":{"table":{}},"past_year_pull_request_labels_count":{"table":{"dependencies":14,"ruby":10}},"past_year_issue_author_associations_count":{"table":{"NONE":2,"MEMBER":1}},"past_year_pull_request_author_associations_count":{"table":{"CONTRIBUTOR":14,"MEMBER":8,"NONE":2}},"past_year_issue_authors":{"table":{"ayzahamid":1,"flavorjones":1,"kaoru":1}},"past_year_pull_request_authors":{"table":{"dependabot[bot]":14,"flavorjones":8,"nacengineer":2}},"maintainers":[{"table":{"login":"flavorjones","count":53,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/flavorjones"}},{"table":{"login":"akhilgkrishnan","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/akhilgkrishnan"}},{"table":{"login":"amatsuda","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/amatsuda"}}],"active_maintainers":[{"table":{"login":"flavorjones","count":9,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/flavorjones"}}]}},"events":{"total":{"CreateEvent":12,"IssuesEvent":5,"ReleaseEvent":2,"WatchEvent":19,"DeleteEvent":9,"IssueCommentEvent":21,"PushEvent":17,"PullRequestEvent":21,"ForkEvent":7},"last_year":{"CreateEvent":11,"IssuesEvent":5,"ReleaseEvent":2,"WatchEvent":13,"DeleteEvent":8,"IssueCommentEvent":17,"PushEvent":15,"PullRequestEvent":18,"ForkEvent":5}},"keywords":[],"dependencies":[{"ecosystem":"rubygems","filepath":"rails-html-sanitizer.gemspec","sha":null,"kind":"manifest","created_at":"2022-07-12T15:04:08.484Z","updated_at":"2022-07-12T15:04:08.484Z","repository_link":"https://github.com/rails/rails-html-sanitizer/blob/main/rails-html-sanitizer.gemspec","dependencies":[{"id":159563375,"package_name":"loofah","ecosystem":"rubygems","requirements":"~\u003e 2.3","direct":true,"kind":"runtime","optional":false},{"id":159563382,"package_name":"bundler","ecosystem":"rubygems","requirements":"\u003e= 1.3","direct":true,"kind":"development","optional":false},{"id":159563385,"package_name":"rake","ecosystem":"rubygems","requirements":"\u003e= 0","direct":true,"kind":"development","optional":false},{"id":159563387,"package_name":"minitest","ecosystem":"rubygems","requirements":"\u003e= 0","direct":true,"kind":"development","optional":false},{"id":159563389,"package_name":"rails-dom-testing","ecosystem":"rubygems","requirements":"\u003e= 0","direct":true,"kind":"development","optional":false}]},{"ecosystem":"actions","filepath":".github/workflows/ci.yml","sha":null,"kind":"manifest","created_at":"2023-01-13T16:10:14.552Z","updated_at":"2023-01-13T16:10:14.552Z","repository_link":"https://github.com/rails/rails-html-sanitizer/blob/main/.github/workflows/ci.yml","dependencies":[{"id":6890126479,"package_name":"actions/checkout","ecosystem":"actions","requirements":"v2","direct":true,"kind":"composite","optional":false},{"id":6890126480,"package_name":"ruby/setup-ruby","ecosystem":"actions","requirements":"v1","direct":true,"kind":"composite","optional":false}]},{"ecosystem":"rubygems","filepath":"Gemfile","sha":null,"kind":"manifest","created_at":"2023-12-02T02:14:53.779Z","updated_at":"2023-12-02T02:14:53.779Z","repository_link":"https://github.com/rails/rails-html-sanitizer/blob/main/Gemfile","dependencies":[{"id":14850140019,"package_name":"rake","ecosystem":"rubygems","requirements":"\u003e= 0","direct":true,"kind":"runtime","optional":false},{"id":14850140020,"package_name":"minitest","ecosystem":"rubygems","requirements":"\u003e= 0","direct":true,"kind":"runtime","optional":false},{"id":14850140021,"package_name":"rubocop","ecosystem":"rubygems","requirements":"\u003e= 1.25.1","direct":true,"kind":"development","optional":false},{"id":14850140022,"package_name":"rubocop-minitest","ecosystem":"rubygems","requirements":"\u003e= 0","direct":true,"kind":"development","optional":false},{"id":14850140023,"package_name":"rubocop-packaging","ecosystem":"rubygems","requirements":"\u003e= 0","direct":true,"kind":"development","optional":false},{"id":14850140024,"package_name":"rubocop-performance","ecosystem":"rubygems","requirements":"\u003e= 0","direct":true,"kind":"development","optional":false},{"id":14850140025,"package_name":"rubocop-rails","ecosystem":"rubygems","requirements":"\u003e= 0","direct":true,"kind":"development","optional":false}]}],"score":31.16101739025647,"created_at":"2024-06-13T11:02:27.298Z","updated_at":"2026-05-14T20:30:27.625Z","avatar_url":"https://github.com/rails.png","language":"Ruby","codemeta":null,"publiccode":null,"project_url":"https://summary.ecosyste.ms/api/v1/projects/123435","html_url":"https://summary.ecosyste.ms/projects/123435"}