A Tale of Two XSS in the Rails HTML Sanitizer

12 minute read Published:

Short write-up on CVE-2022-23519 and CVE-2022-23520, two XSS vulnerabilities in the Rails HTML sanitizer. There are some explanations of the vulnerabilities, the though process and code snippets used for fuzzing.
A while ago I was writing an application based on the Rails framework which returned sanitized user input. Its purpose was to build a PoC for an XSS vulnerability in the Rails HTML sanitizer (CVE-2022-32209, which appeared in June 2022). The following is a short write-up of that endeavour and how it turned into the discovery of two additional CVEs. I start with a discussion of the original CVE-2022-32209, proceed with an investigation of the fix and how it turned out to be incomplete (CVE-2022-23520), explain how that motivated additional fuzzing which uncovered additional working attack payloads (CVE-2022-23519) and conclude with a brief outline of the fix (entirely designed and implemented by flavorjones).