7.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-vfpf-xmwh-8m65

GHSA-vfpf-xmwh-8m65: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values

Impact

The prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code.

Who is impacted:

Any application using prosemirror_to_html to convert ProseMirror documents to HTML
Applications that process user-generated ProseMirror content are at highest risk
End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers

Attack vectors include:

href attributes with javascript: protocol: <a href="javascript:alert(document.cookie)">
Event handlers: <div onclick="maliciousCode()">
onerror attributes on images: <img src=x onerror="alert('XSS')">
Other HTML attributes that can execute JavaScript

Patches

A fix is currently in development. Users should upgrade to version 0.2.1 or later once released.

The patch escapes all HTML attribute values using CGI.escapeHTML to prevent injection attacks.

Workarounds

Until a patched version is available, users can implement one or more of these mitigations:

Sanitize output: Pass the HTML output through a sanitization library like Sanitize or Loofah:

   html = ProsemirrorToHtml.render(document)
   safe_html = Sanitize.fragment(html, Sanitize::Config::RELAXED)

Implement Content Security Policy (CSP): Add strict CSP headers to prevent inline JavaScript execution:

   Content-Security-Policy: default-src 'self'; script-src 'self'

Input validation: If possible, validate and sanitize ProseMirror documents before conversion to prevent malicious content from entering the system.

References

Vulnerable code: https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249
OWASP XSS Prevention Cheat Sheet

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-vfpf-xmwh-8m65

GHSA-vfpf-xmwh-8m65:

7.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
prosemirror_to_html	rubygems	< 0.2.1	0.2.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the prosemirror_to_html gem, specifically in how it constructs HTML tags from a ProseMirror document. The analysis of the patch in commit 4d59f94f550bcabeec30d298791bbdd883298ad8 reveals that the render_opening_tag function in lib/prosemirror_to_html.rb was modified. Before the patch, this function directly concatenated attribute values into the HTML string. The line - attrs << " #{attr}=\"#{value}\"" shows that the value is not sanitized or escaped. This allows an attacker to craft a ProseMirror document with malicious attribute values (e.g., href="javascript:alert(1)" or onerror="alert(1)"). When ProsemirrorToHtml.render is called on this document, the render_opening_tag function will be executed, creating a malicious HTML tag and leading to a Cross-Site Scripting (XSS) vulnerability. The patch fixes this by introducing escaped_value = CGI.escapeHTML(value.to_s) and using this escaped value instead, thus neutralizing the vulnerability. Therefore, ProsemirrorToHtml::Renderer.render_opening_tag is the key vulnerable function that would appear in a runtime profile during exploitation.

Vulnerable functions

ProsemirrorToHtml::Renderer.render_opening_tag

lib/prosemirror_to_html.rb

The function constructs an HTML opening tag by iterating over attributes and their values. The `value` is directly interpolated into the resulting string without any escaping, allowing for the injection of malicious content, such as JavaScript event handlers (e.g., `onclick`) or `javascript:` URIs in `href` attributes.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.6

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-vfpf-xmwh-8m65: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values

Impact

Patches

Workarounds

References

GHSA-vfpf-xmwh-8m65:

7.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

7.6

7.6

Technical Details

Basic Information

Basic Information

GHSA-vfpf-xmwh-8m65: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values

Impact

Patches

Workarounds

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI