The Shopify Application Security Team discovered that ruby-sanitize, a
whitelist-based HTML sanitizer, is prone to a HTML injection
vulnerability A specially crafted HTML fragment can cause to allow nonwhitelisted attributes to be used on a whitelisted HTML element
For the stable distribution (stretch), this problem has been fixed in
version 21 ...