HackerOne Disclosed Reports - 2026-04-18

Low
resolved

Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split j‌avascript: URLs

Bug reported by smlee was disclosed at April 18, 2026, 3:27 pm   |  

A vulnerability was discovered in the `Rails::HTML::Sanitizer.allowed_uri?` method of the `rails-html-sanitizer` library. The method incorrectly returned `true` for entity-encoded control-character-split `j‌avascript:` URLs, which could lead to potential security issues if the application relied on the method's result to make security decisions.