Launchpad.net

CVE 2018-3740

A specially crafted HTML fragment can cause Sanitize gem for Ruby to allow non-whitelisted attributes to be used on a whitelisted HTML element.

See the CVE page on Mitre.org for more details.