Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute values

Description

Impact

The prosemirror_to_html gem is vulnerable to Cross-Site Scripting (XSS) attacks through malicious HTML attribute values. While tag content is properly escaped, attribute values are not, allowing attackers to inject arbitrary JavaScript code.

Who is impacted:
- Any application using prosemirror_to_html to convert ProseMirror documents to HTML
- Applications that process user-generated ProseMirror content are at highest risk
- End users viewing the rendered HTML output could have malicious JavaScript executed in their browsers

Attack vectors include:
- href attributes with javascript: protocol: <a href="javascript:alert(document.cookie)">
- Event handlers: <div onclick="maliciousCode()">
- onerror attributes on images: <img src=x onerror="alert('XSS')">
- Other HTML attributes that can execute JavaScript

Patches

A fix is currently in development. Users should upgrade to version 0.2.1 or later once released.

The patch escapes all HTML attribute values using CGI.escapeHTML to prevent injection attacks.

Workarounds

Until a patched version is available, users can implement one or more of these mitigations:

  1. Sanitize output: Pass the HTML output through a sanitization library like Sanitize or Loofah:
   html = ProsemirrorToHtml.render(document)
   safe_html = Sanitize.fragment(html, Sanitize::Config::RELAXED)
  1. Implement Content Security Policy (CSP): Add strict CSP headers to prevent inline JavaScript execution:
   Content-Security-Policy: default-src 'self'; script-src 'self'
  1. Input validation: If possible, validate and sanitize ProseMirror documents before conversion to prevent malicious content from entering the system.

References

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-11-06 15:44:35 UTC
Updated
2026-01-23 21:37:35 UTC
GitHub reviewed
2025-11-06 15:44:35 UTC
NVD published
2025-11-10

EPSS Score

Score Percentile
0.02% 6.08%

CVSS Scores

Base score Version Severity Vector
7.6 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Credits

  • polypixeldev (remediation_developer)
  • Luke-Oldenburg (reporter)
  • Spone (remediation_reviewer)
  • 9021007 (finder)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
rubygems prosemirror_to_html < 0.2.1 0.2.1

References

cvelogic Threat Intelligence