LogicalBreach Academy

Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs | Free Bug Bounty Writeup | LogicalBreach Academy

Writeups Cheatsheets Tools Collections Authors Noc Pricing

Back

OtherCVSS 2.5Hard

Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs

hackerone-reports

April 19, 2026

0 views

Save

€0

Vulnerability Summary

HackerOne disclosed report --> https://hackerone.com/reports/3601655 by smlee

Summary

Rails::HTML::Sanitizer.allowed_uri? returns true for entity-encoded control-character-split javascript: URLs such as:

javascript:alert(1)
java
script:alert(1)
jav	ascript:alert(1)

When these values are rendered into href attributes, browsers normalize them to javascript: URLs and execute them on click.

Identification Required

You must be logged in to read this writeup. Join our community of researchers today.

hackerone-reports

€13,553 Documented

Profile →

Related Writeups

hackerone-reports

Residual Malicious Payloads on HackerOne after Vulnerability Fixes

HackerOne disclosed report --> https://hackerone.com/reports/3168691 by joejoe5

Read Writeup →

hackerone-reports

DOS via Mutation Aliasing in GraphQL Account Recovery Phone Number Verification API

HackerOne disclosed report --> https://hackerone.com/reports/3287208 by hellokbit

Read Writeup →

hackerone-reports

Fail-Open in set_tlsext_servername_callback on pyopenssl via unhandled exceptions leads to security bypass

HackerOne disclosed report --> https://hackerone.com/reports/3558277 by uv3doble

Read Writeup →

Discussion

No comments yet.

Be the first to share your thoughts

Premium writeups about bug bounty hunting and web security.
Written by real security researchers.

Navigation

Writeups Cheatsheets Tools Authors Noc Pricing

Contactcontact@logicalbreach.com

RSS FeedPrivacy PolicyTerms of Service