Navigation:   Dark C0d3rs Exploit Log Research Papers/Vulnerability reports HackerOne Disclosed Reports - 2026-04-18

HackerOne Disclosed Reports - 2026-04-18

0 Replies, 7 Views

 hashXploiter

   4 hours ago
Administrator
#1
Logo
Low
resolved

Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split j‌avascript: URLs


Bug reported by smlee was disclosed at April 18, 2026, 3:27 pm   |  

A vulnerability was discovered in the `Rails::HTML::Sanitizer.allowed_uri?` method of the `rails-html-sanitizer` library. The method incorrectly returned `true` for entity-encoded control-character-split `j‌avascript:` URLs, which could lead to potential security issues if the application relied on the method's result to make security decisions.


[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]

Messages In This Thread
HackerOne disclosed reports - 2026-04-18 - by hashXploiter - 4 hours ago



Users browsing this thread: 1 Guest(s)