Sanitize ActionText HTML ContentAttachment in Trix edit view
[CVE-2024-32464] Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This could lead to a potential cross site scripting issue within the Trix editor. This change enforces existing sanitization routines on ActionText::Attachable::ContentAttachment attachments.
This commit is contained in:
parent
35858f1d9d
commit
e215bf3360
@ -16,6 +16,15 @@ def render_action_text_content(content)
|
||||
sanitize_action_text_content(render_action_text_attachments(content))
|
||||
end
|
||||
|
||||
def sanitize_content_attachment(content_attachment)
|
||||
sanitizer.sanitize(
|
||||
content_attachment,
|
||||
tags: sanitizer_allowed_tags,
|
||||
attributes: sanitizer_allowed_attributes,
|
||||
scrubber: scrubber,
|
||||
)
|
||||
end
|
||||
|
||||
def sanitize_action_text_content(content)
|
||||
sanitizer.sanitize(
|
||||
content.to_html,
|
||||
|
@ -22,7 +22,7 @@ module ActionText
|
||||
# body.to_s # => "<h1>Funny times!</h1>"
|
||||
# body.to_plain_text # => "Funny times!"
|
||||
class Content
|
||||
include Rendering, Serialization
|
||||
include Rendering, Serialization, ContentHelper
|
||||
|
||||
attr_reader :fragment
|
||||
|
||||
@ -97,6 +97,7 @@ def append_attachables(attachables)
|
||||
|
||||
def render_attachments(**options, &block)
|
||||
content = fragment.replace(ActionText::Attachment.tag_name) do |node|
|
||||
node["content"] = sanitize_content_attachment(node["content"])
|
||||
block.call(attachment_for_node(node, **options))
|
||||
end
|
||||
self.class.new(content, canonicalize: false)
|
||||
|
@ -79,6 +79,15 @@ class ActionText::AttachmentTest < ActiveSupport::TestCase
|
||||
end
|
||||
end
|
||||
|
||||
test "sanitizes HTML content attachment" do
|
||||
attachment = attachment_from_html('<action-text-attachment content-type="text/html" content="<img src=\".\" onerror=alert>"></action-text-attachment>')
|
||||
attachable = attachment.attachable
|
||||
|
||||
ActionText::Content.with_renderer MessagesController.renderer do
|
||||
assert_equal "<img src=\"\\%22.\\%22\">", attachable.to_html.strip
|
||||
end
|
||||
end
|
||||
|
||||
test "defaults trix partial to model partial" do
|
||||
attachable = Page.create! title: "Homepage"
|
||||
assert_equal "pages/page", attachable.to_trix_content_attachment_partial_path
|
||||
|
Loading…
Reference in New Issue
Block a user