{"id":"GHSA-2j22-pr5w-6gq8","summary":"Loofah has improper detection of disallowed URIs via `allowed_uri?`","details":"## Summary\n\n`Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject `javascript:` URIs when the scheme is split by HTML entity-encoded control characters such as `
` (carriage return), `
` (line feed), or `	` (tab).\n\n## Details\n\nThe `allowed_uri?` method strips literal control characters before decoding HTML entities. Payloads like `java
script:alert(1)` survive the control character strip, then `
` is decoded to a carriage return, producing `java\\rscript:alert(1)`.\n\nNote that the Loofah sanitizer's default `sanitize()` path is **not affected** because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the `allowed_uri?` string-level helper when passing HTML-encoded strings.\n\n## Impact\n\nApplications that call `Loofah::HTML5::Scrub.allowed_uri?` to validate user-controlled URLs and then render approved URLs into `href` or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS).\n\nThis only affects Loofah `2.25.0`.\n\n## Mitigation\n\nUpgrade to Loofah \u003e= `2.25.1`.\n\n## Credit\n\nResponsibly reported by HackOne user @smlee.","modified":"2026-04-08T05:16:31.110296Z","published":"2026-03-26T22:19:02Z","related":["CGA-jm8q-hrhr-7p5m"],"database_specific":{"severity":"LOW","nvd_published_at":null,"github_reviewed_at":"2026-03-26T22:19:02Z","cwe_ids":["CWE-116","CWE-79"],"github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/flavorjones/loofah/security/advisories/GHSA-46fp-8f5p-pf2m"},{"type":"WEB","url":"https://github.com/flavorjones/loofah/commit/f4ebc9c5193dde759a57541062e490e86fc7c068"},{"type":"PACKAGE","url":"https://github.com/flavorjones/loofah"},{"type":"WEB","url":"https://github.com/flavorjones/loofah/releases/tag/v2.25.1"},{"type":"WEB","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/GHSA-46fp-8f5p-pf2m.yml"}],"affected":[{"package":{"name":"loofah","ecosystem":"RubyGems","purl":"pkg:gem/loofah"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.25.0"},{"fixed":"2.25.1"}]}],"versions":["2.25.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-2j22-pr5w-6gq8/GHSA-2j22-pr5w-6gq8.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}]}