I’ve released version 1.0.3 of Sanitize, my whitelist-based Ruby HTML sanitizer. This version fixes a bug whereby incomplete Unicode or hex entities could be used to prevent non-whitelisted URL protocols from being cleaned.

While this is a non-issue in most cases since the majority of browsers will not decode incomplete entities, IE6 and at least some versions of Opera do decode them, which means that users of those browsers may be vulnerable to malicious script injection via a version of Sanitize prior to 1.0.3.

The DEFAULT and RESTRICTED configurations in previous versions of Sanitize are not vulnerable. The BASIC and RELAXED configs, as well as any custom configuration that allows an attribute containing a URL protocol, are vulnerable.

To install or upgrade Sanitize via RubyGems, run:

gem install sanitize