Sanitize ActionText HTML ContentAttachment in Trix edit view

[CVE-2024-32464] Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This could lead to a potential cross site scripting issue within the Trix editor. This change enforces existing sanitization routines on ActionText::Attachable::ContentAttachment attachments.
2024-03-21 16:39:06 -04:00 · 2024-03-21 16:39:06 -04:00 · e215bf3360
commit e215bf3360
parent 35858f1d9d
3 changed files with 20 additions and 1 deletions
--- a/actiontext/app/helpers/action_text/content_helper.rb
+++ b/actiontext/app/helpers/action_text/content_helper.rb
@ -16,6 +16,15 @@ def render_action_text_content(content)
      sanitize_action_text_content(render_action_text_attachments(content))
    end

+    def sanitize_content_attachment(content_attachment)
+      sanitizer.sanitize(
+        content_attachment,
+        tags: sanitizer_allowed_tags,
+        attributes: sanitizer_allowed_attributes,
+        scrubber: scrubber,
+      )
+    end
+
    def sanitize_action_text_content(content)
      sanitizer.sanitize(
        content.to_html,
--- a/actiontext/lib/action_text/content.rb
+++ b/actiontext/lib/action_text/content.rb
@ -22,7 +22,7 @@ module ActionText
  #     body.to_s # => "<h1>Funny times!</h1>"
  #     body.to_plain_text # => "Funny times!"
  class Content
-    include Rendering, Serialization
+    include Rendering, Serialization, ContentHelper

    attr_reader :fragment

@ -97,6 +97,7 @@ def append_attachables(attachables)

    def render_attachments(**options, &block)
      content = fragment.replace(ActionText::Attachment.tag_name) do |node|
+        node["content"] = sanitize_content_attachment(node["content"])
        block.call(attachment_for_node(node, **options))
      end
      self.class.new(content, canonicalize: false)
--- a/actiontext/test/unit/attachment_test.rb
+++ b/actiontext/test/unit/attachment_test.rb
@ -79,6 +79,15 @@ class ActionText::AttachmentTest < ActiveSupport::TestCase
    end
  end

+  test "sanitizes HTML content attachment" do
+    attachment = attachment_from_html('<action-text-attachment content-type="text/html" content="<img src=\&quot;.\&quot; onerror=alert>"></action-text-attachment>')
+    attachable = attachment.attachable
+
+    ActionText::Content.with_renderer MessagesController.renderer do
+      assert_equal "<img src=\"\\%22.\\%22\">", attachable.to_html.strip
+    end
+  end
+
  test "defaults trix partial to model partial" do
    attachable = Page.create! title: "Homepage"
    assert_equal "pages/page", attachable.to_trix_content_attachment_partial_path