

XSS Vulnerability in the `sanitize` helper of Ruby on Rails - ch0wn
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/zAAU7vGTPvI

======
danso
(crossposted from the JRuby vulnerability submission, which is different from
this sanitize helper issue) The sole change seems to be in the regex that was
used to match the protocol separator (i.e. the colon). The change is from
this:

    
    
          /:|(&#0*58)|(&#x70)|(%|&#37;)3A/
    

to this:

    
    
          /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i
    
    

Presumably the previous regex allowed an attacker to insert a variation of
"javascript:foo()" and get past a HTML sanitize call. It seems like a
bug/oversight unrelated to the YAML deserialization issues from the past
months.

