GHSA-w67g-2h6v-vjgq: Phlex XSS protection bypass via attribute splatting, dynamic tags, and href values
During a security audit conducted with Claude Opus 4.6 and GPT-5.3-Codex, we identified three specific ways to bypass the XSS (cross-site-scripting) protection built into Phlex.
- The first bypass could happen if user-provided attributes with string keys were splatted into HTML tag, e.g.
div(**user_attributes). - The second bypass could happen if user-provided tag names were passed to the
tagmethod, e.g.tag(some_tag_name_from_user). - The third bypass could happen if user’s links were passed to
hrefattributes, e.g.a(href: user_provided_link).
All three of these patterns are meant to be safe and all have now been patched.
References
- github.com/advisories/GHSA-w67g-2h6v-vjgq
- github.com/yippee-fun/phlex
- github.com/yippee-fun/phlex/commit/1d85da417cb15eb8cb2f54a68d531c9b35d9d03a
- github.com/yippee-fun/phlex/commit/556441d5a64ff93f749e8116a05b2d97264468ee
- github.com/yippee-fun/phlex/commit/74e3d8610ffabc2cf5f241945e9df4b14dceb97d
- github.com/yippee-fun/phlex/commit/9f56ad13bea9a7d6117fdfd510446c890709eeac
- github.com/yippee-fun/phlex/commit/fe9ea708672f9fa42526d9b47e1cdc4634860ef1
- github.com/yippee-fun/phlex/security/advisories/GHSA-w67g-2h6v-vjgq
Code Behaviors & Features
Detect and mitigate GHSA-w67g-2h6v-vjgq with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →