Sanitize ActionText HTML ContentAttachment in Trix edit view
[CVE-2024-32464] Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This could lead to a potential cross site scripting issue within the Trix editor. This change enforces existing sanitization routines on ActionText::Attachable::ContentAttachment attachments.
This commit is contained in:
parent
35858f1d9d
commit
e215bf3360
@ -16,6 +16,15 @@ def render_action_text_content(content)
|
|||||||
sanitize_action_text_content(render_action_text_attachments(content))
|
sanitize_action_text_content(render_action_text_attachments(content))
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def sanitize_content_attachment(content_attachment)
|
||||||
|
sanitizer.sanitize(
|
||||||
|
content_attachment,
|
||||||
|
tags: sanitizer_allowed_tags,
|
||||||
|
attributes: sanitizer_allowed_attributes,
|
||||||
|
scrubber: scrubber,
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
def sanitize_action_text_content(content)
|
def sanitize_action_text_content(content)
|
||||||
sanitizer.sanitize(
|
sanitizer.sanitize(
|
||||||
content.to_html,
|
content.to_html,
|
||||||
|
@ -22,7 +22,7 @@ module ActionText
|
|||||||
# body.to_s # => "<h1>Funny times!</h1>"
|
# body.to_s # => "<h1>Funny times!</h1>"
|
||||||
# body.to_plain_text # => "Funny times!"
|
# body.to_plain_text # => "Funny times!"
|
||||||
class Content
|
class Content
|
||||||
include Rendering, Serialization
|
include Rendering, Serialization, ContentHelper
|
||||||
|
|
||||||
attr_reader :fragment
|
attr_reader :fragment
|
||||||
|
|
||||||
@ -97,6 +97,7 @@ def append_attachables(attachables)
|
|||||||
|
|
||||||
def render_attachments(**options, &block)
|
def render_attachments(**options, &block)
|
||||||
content = fragment.replace(ActionText::Attachment.tag_name) do |node|
|
content = fragment.replace(ActionText::Attachment.tag_name) do |node|
|
||||||
|
node["content"] = sanitize_content_attachment(node["content"])
|
||||||
block.call(attachment_for_node(node, **options))
|
block.call(attachment_for_node(node, **options))
|
||||||
end
|
end
|
||||||
self.class.new(content, canonicalize: false)
|
self.class.new(content, canonicalize: false)
|
||||||
|
@ -79,6 +79,15 @@ class ActionText::AttachmentTest < ActiveSupport::TestCase
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "sanitizes HTML content attachment" do
|
||||||
|
attachment = attachment_from_html('<action-text-attachment content-type="text/html" content="<img src=\".\" onerror=alert>"></action-text-attachment>')
|
||||||
|
attachable = attachment.attachable
|
||||||
|
|
||||||
|
ActionText::Content.with_renderer MessagesController.renderer do
|
||||||
|
assert_equal "<img src=\"\\%22.\\%22\">", attachable.to_html.strip
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
test "defaults trix partial to model partial" do
|
test "defaults trix partial to model partial" do
|
||||||
attachable = Page.create! title: "Homepage"
|
attachable = Page.create! title: "Homepage"
|
||||||
assert_equal "pages/page", attachable.to_trix_content_attachment_partial_path
|
assert_equal "pages/page", attachable.to_trix_content_attachment_partial_path
|
||||||
|
Loading…
Reference in New Issue
Block a user