GHSA-4249-GJR8-JPQ3

Vulnerability from github – Published: 2025-11-13 22:59 – Updated: 2026-01-23 23:00
VLAI?
Summary
Duplicate Advisory: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-52c5-vh7f-26fx. This link is maintained to preserve external references.

Original Description

Impact

The prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code.

Who is impacted:

  • Any application using prosemirror_to_html to convert ProseMirror documents to HTML
  • Applications that process user-generated ProseMirror content are at highest risk
  • End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers

Attack vectors include:

  • href attributes with javascript: protocol: <a href="javascript:alert(document.cookie)">
  • Event handlers: <div onclick="maliciousCode()">
  • onerror attributes on images: <img src=x onerror="alert('XSS')">
  • Other HTML attributes that can execute JavaScript

Patches

A fix is currently in development. Users should upgrade to version 0.2.1 or later once released. The patch escapes all HTML attribute values using CGI.escapeHTML to prevent injection attacks.

Workarounds

Until a patched version is available, users can implement one or more of these mitigations:

  1. Sanitize output: Pass the HTML output through a sanitization library like Sanitize or Loofah:
   html = ProsemirrorToHtml.render(document)
   safe_html = Sanitize.fragment(html, Sanitize::Config::RELAXED)
  1. Implement Content Security Policy (CSP): Add strict CSP headers to prevent inline JavaScript execution:
   Content-Security-Policy: default-src 'self'; script-src 'self'
  1. Input validation: If possible, validate and sanitize ProseMirror documents before conversion to prevent malicious content from entering the system.

References

  • Vulnerable code: https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249
  • OWASP XSS Prevention Cheat Sheet
Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "prosemirror_to_html"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-13T22:59:15Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-52c5-vh7f-26fx. This link is maintained to preserve external references.\n\n## Original Description\n### Impact\n\nThe prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code.\n\n**Who is impacted:**\n\n- Any application using prosemirror_to_html to convert ProseMirror documents to HTML\n- Applications that process user-generated ProseMirror content are at highest risk\n- End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers\n\n**Attack vectors include:**\n\n- `href` attributes with `javascript:` protocol:\n  `\u003ca href=\"javascript:alert(document.cookie)\"\u003e`\n- Event handlers: `\u003cdiv onclick=\"maliciousCode()\"\u003e`\n- `onerror` attributes on images: `\u003cimg src=x onerror=\"alert(\u0027XSS\u0027)\"\u003e`\n- Other HTML attributes that can execute JavaScript\n\n### Patches\n\nA fix is currently in development. Users should upgrade to version **0.2.1** or later once released. The patch escapes all HTML attribute values using `CGI.escapeHTML` to prevent injection attacks.\n\n### Workarounds\n\nUntil a patched version is available, users can implement one or more of these mitigations:\n\n1. **Sanitize output**: Pass the HTML output through a sanitization\n   library like [Sanitize](https://github.com/rgrove/sanitize) or\n   [Loofah](https://github.com/flavorjones/loofah):\n\n```ruby\n   html = ProsemirrorToHtml.render(document)\n   safe_html = Sanitize.fragment(html, Sanitize::Config::RELAXED)\n```\n\n2. **Implement Content Security Policy (CSP)**: Add strict CSP\n   headers to prevent inline JavaScript execution:\n```\n   Content-Security-Policy: default-src \u0027self\u0027; script-src \u0027self\u0027\n```\n\n3. **Input validation**: If possible, validate and sanitize\n   ProseMirror documents before conversion to prevent malicious\n   content from entering the system.\n\n### References\n\n- Vulnerable code: https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249\n- [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)",
  "id": "GHSA-4249-gjr8-jpq3",
  "modified": "2026-01-23T23:00:51Z",
  "published": "2025-11-13T22:59:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8"
    },
    {
      "type": "WEB",
      "url": "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/etaminstudio/prosemirror_to_html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/prosemirror_to_html/GHSA-vfpf-xmwh-8m65.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values",
  "withdrawn": "2026-01-23T23:00:51Z"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.