Dark C0d3rs
HackerOne Disclosed Reports - 2026-04-18 - Printable Version

+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2026-04-18 (/Thread-HackerOne-Disclosed-Reports-2026-04-18)

HackerOne disclosed reports - 2026-04-18 - hashXploiter - 04-19-2026

Logo
Low
resolved

Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split j‌avascript: URLs


Bug reported by smlee was disclosed at April 18, 2026, 3:27 pm   |  

A vulnerability was discovered in the `Rails::HTML::Sanitizer.allowed_uri?` method of the `rails-html-sanitizer` library. The method incorrectly returned `true` for entity-encoded control-character-split `j‌avascript:` URLs, which could lead to potential security issues if the application relied on the method's result to make security decisions.