ProseMirror on 办公AI智能小助手 https://blog.qife122.com/tags/prosemirror/ Recent content in ProseMirror on 办公AI智能小助手 Hugo zh-cn qife Mon, 08 Dec 2025 22:57:16 +0800 ProsemirrorToHtml Ruby库存在XSS漏洞:HTML属性值未经转义导致安全风险 https://blog.qife122.com/p/prosemirrortohtml-ruby%E5%BA%93%E5%AD%98%E5%9C%A8xss%E6%BC%8F%E6%B4%9Ehtml%E5%B1%9E%E6%80%A7%E5%80%BC%E6%9C%AA%E7%BB%8F%E8%BD%AC%E4%B9%89%E5%AF%BC%E8%87%B4%E5%AE%89%E5%85%A8%E9%A3%8E%E9%99%A9/ Mon, 08 Dec 2025 22:57:16 +0800 https://blog.qife122.com/p/prosemirrortohtml-ruby%E5%BA%93%E5%AD%98%E5%9C%A8xss%E6%BC%8F%E6%B4%9Ehtml%E5%B1%9E%E6%80%A7%E5%80%BC%E6%9C%AA%E7%BB%8F%E8%BD%AC%E4%B9%89%E5%AF%BC%E8%87%B4%E5%AE%89%E5%85%A8%E9%A3%8E%E9%99%A9/ <h3 id="漏洞详情">漏洞详情</h3> <p><strong>重复公告</strong> 本公告因与GHSA-52c5-vh7f-26fx重复而被撤销。保留此链接以维护外部引用。</p> <p><strong>原始描述</strong> <strong>影响</strong> <code>prosemirror_to_html</code> gem存在跨站脚本(XSS)漏洞,攻击者可通过恶意HTML属性值注入攻击。虽然标签内容已正确转义,但属性值未转义,导致攻击者可以注入任意JavaScript代码。</p>