GHSA-4249-gjr8-jpq3

Suggest an improvement
Source
https://github.com/advisories/GHSA-4249-gjr8-jpq3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-4249-gjr8-jpq3/GHSA-4249-gjr8-jpq3.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-4249-gjr8-jpq3
Published
2025-11-13T22:59:15Z
Modified
2025-11-13T23:23:38.426821Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values
Details

Impact

The prosemirrortohtml gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code.

Who is impacted:

  • Any application using prosemirrortohtml to convert ProseMirror documents to HTML
  • Applications that process user-generated ProseMirror content are at highest risk
  • End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers

Attack vectors include:

  • href attributes with javascript: protocol: <a href="javascript:alert(document.cookie)">
  • Event handlers: <div onclick="maliciousCode()">
  • onerror attributes on images: <img src=x onerror="alert('XSS')">
  • Other HTML attributes that can execute JavaScript

Patches

A fix is currently in development. Users should upgrade to version 0.2.1 or later once released. The patch escapes all HTML attribute values using CGI.escapeHTML to prevent injection attacks.

Workarounds

Until a patched version is available, users can implement one or more of these mitigations:

  1. Sanitize output: Pass the HTML output through a sanitization library like Sanitize or Loofah:

       html = ProsemirrorToHtml.render(document)
   safe_html = Sanitize.fragment(html, Sanitize::Config::RELAXED)

  2. Implement Content Security Policy (CSP): Add strict CSP headers to prevent inline JavaScript execution:

       Content-Security-Policy: default-src 'self'; script-src 'self'

  3. Input validation: If possible, validate and sanitize ProseMirror documents before conversion to prevent malicious content from entering the system.

References

  • Vulnerable code: https://github.com/etaminstudio/prosemirrortohtml/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirrortohtml.rb#L249
  • OWASP XSS Prevention Cheat Sheet
Database specific 
{
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-13T22:59:15Z",
    "severity": "HIGH",
    "nvd_published_at": null
}
References

Affected packages

RubyGems / prosemirror_to_html

Package

Name
prosemirror_to_html
Purl
pkg:gem/prosemirror_to_html

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.2.1

Affected versions

0.*

0.1.0
0.2.0