GHSA-2j22-pr5w-6gq8: Loofah has improper detection of disallowed URIs via `allowed_uri?`
Loofah::HTML5::Scrub.allowed_uri? does not correctly reject javascript: URIs when the scheme is split by HTML entity-encoded control characters such as (carriage return), (line feed), or 	 (tab).
References
- github.com/advisories/GHSA-2j22-pr5w-6gq8
- github.com/flavorjones/loofah
- github.com/flavorjones/loofah/commit/f4ebc9c5193dde759a57541062e490e86fc7c068
- github.com/flavorjones/loofah/releases/tag/v2.25.1
- github.com/flavorjones/loofah/security/advisories/GHSA-46fp-8f5p-pf2m
- github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/GHSA-46fp-8f5p-pf2m.yml
Code Behaviors & Features
Detect and mitigate GHSA-2j22-pr5w-6gq8 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →