CVE-2020-36644: 
Ruby vulnerability analysis and mitigation

A vulnerability has been identified in jamesmartin Inline SVG up to version 1.7.1 (CVE-2020-36644). The vulnerability relates to insufficient input sanitization when handling SVG filenames, which could potentially lead to Cross-Site Scripting (XSS) attacks (GitHub PR).

The vulnerability exists in the file handling mechanism where user input for SVG filenames is not properly sanitized before being rendered in error messages. When a requested SVG file is not found, the filename is included in an HTML comment without proper escaping, which could allow for XSS payload execution. The issue was fixed by implementing HTML escaping using ERB::Util.htmlescapeonce() for filenames in error messages (GitHub Commit).

If exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of users' browsers when viewing pages that attempt to render non-existent SVG files with maliciously crafted filenames. This could potentially lead to session hijacking, data theft, or other client-side attacks (GitHub PR).

The vulnerability was patched in version 1.7.2 of the Inline SVG gem. Users should upgrade to this version or later to receive the security fix. As a workaround before upgrading, applications can implement input validation to whitelist allowed SVG filenames before passing them to the inlinesvg helper ([GitHub Release](https://github.com/jamesmartin/inlinesvg/releases/tag/v1.7.2)).