LogicalBreach Academy

Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs | Free Bug Bounty Writeup | LogicalBreach Academy

Writeups Cheatsheets Tools Collections Authors Noc Pricing

Back

OtherCVSS 2.5Hard

Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs

hackerone-reports

April 19, 2026

22 views

Save

€0

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3601655 by smlee

Summary

Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs such as:

javascript:alert(1)
java
script:alert(1)
jav	ascript:alert(1)

When these values are rendered into href attributes, browsers normalize them to javascript: URLs and execute them on click.

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

hackerone-reports

€14,023 Documented

Profile →

Related Writeups

hackerone-reports

HMAC signature verification omits endpoint and payload allowing request forgery on CoinMate API

HackerOne disclosed report --> https://hackerone.com/reports/3670955 by glferreira-devsecops

Read Writeup →

hackerone-reports

Critical Deadlock Vulnerability in Monero RPC Leading to Complete Node Paralysis

HackerOne disclosed report --> https://hackerone.com/reports/3307874 by rorkh

Read Writeup →

hackerone-reports

Out of scope: Improper Input Validation Order on /api-internal/login via password field leads to unnecessary resource consumption

HackerOne disclosed report --> https://hackerone.com/reports/3625600 by bereza4321

Read Writeup →

Discussion

No comments yet.

Be the first to share your thoughts

Premium writeups about bug bounty hunting and web security.
Written by real security researchers.

Navigation

Writeups Cheatsheets Tools Authors Noc Pricing

Contactcontact@logicalbreach.com

RSS FeedPrivacy PolicyTerms of Service