The Wire · Showcase
SVG SANITIZER VULNERABILITY PATCHED, RAILS DOCS OVERHAULED
By RepoJournal · Filed · About Rails
Rails-html-sanitizer 1.7.1 shipped overnight to plug an SVG href vulnerability that slipped through the xlink-only fix.
The rails-html-sanitizer team closed a critical gap in SVG sanitization [1] where plain `href` attributes on reference elements like `<use>` could still pull external documents, bypassing the security model that restricted only `xlink:href`. Version 1.7.1 [2] now enforces both attributes via Loofah's SVG_HREF_ATTRIBUTES set, matching upstream security fixes. Meanwhile, Rails core pushed forward on documentation and dependency fixes [4]. A follow-up PR addressing missing ActiveSupport requires across 27 files [3] ensures core extensions actually load without silent failures, fixing the kind of NoMethodError that only surfaces in production. Smaller polish landed on Relation query docs [5] and Rubocop violations, keeping the codebase clean between major cycles.
Action items
- → Upgrade rails-html-sanitizer to 1.7.1 before next deploy if using custom PermitScrubber with SVG elements rails/rails-html-sanitizer [immediate]
- → Review the ActiveSupport requires PR [ref:2] when it lands to understand which files need explicit loads in your app rails/rails [plan]
- → Monitor rails/rails for the 27-file requires merge to test in your suite rails/rails [monitor]
References
- [1] Properly restrict SVG href attributes rails/rails-html-sanitizer
- [2] v1.7.1 ↗ rails/rails-html-sanitizer
- [3] Add missing ActiveSupport core extension and feature requires ↗ rails/rails
- [4] [RF-Docs] [ci-skip] Update the Rails Generators guide ↗ rails/rails
- [5] Fix `Relation#one?` doc example calling `any?` [ci skip] rails/rails