Loofah Gem – CVE-2018-16468

The Loofah gem recently had a vulnerability reported which could potentially expose your application to a Cross Site Scripting attack.

From https://nvd.nist.gov/vuln/detail/CVE-2018-16468 it reads

In the Loofah gem for Ruby, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Since the Ruby on Rails framework depends on rails-html-sanitizer and this depends on loofah, there is a likely chance that your application is affected too.

To immediately address this issue, add this to your Gemfile.

gem 'loofah', '~> 2.2.3

Then run

bundle update loofah