In the Loofah gem for Ruby, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
{ "availability": "No subscription required", "ubuntu_priority": "low", "binaries": [ { "ruby-loofah": "2.0.3-2+deb9u2build0.16.04.1" } ] }
{ "ubuntu_priority": "low" }
{ "availability": "No subscription required", "ubuntu_priority": "low", "binaries": [ { "ruby-loofah": "2.2.3-1" } ] }