Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
Affected versions: Loofah < 2.2.1, but only:
* when running on MRI or RBX,
* in combination with libxml2 >= 2.9.2.
Created rubygem-loofah tracking bugs for this issue:
Affects: fedora-all [bug 1559072]
This issue affects the versions of rubygem-loofah as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having a security impact of Moderate. This vulnerability won't be fixed on CloudForms 4, because it uses libxml 2.9.1 and since the vulnerability requires a libxml >= 2.9.2 in order to be exploitable. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/