From aec86444abbd9052e14f730b7305d7c5f6ee3603 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alberto=20Fern=C3=A1ndez-Capel?= <afcapel@gmail.com>
Date: Wed, 1 May 2024 14:50:29 +0100
Subject: [PATCH] Sanitize HTML content in data-trix-* attributes

Prevents XSS attacks by crafting a malicious HTML content in the
data-trix-* attributes.
---
 src/trix/models/html_parser.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/trix/models/html_parser.js b/src/trix/models/html_parser.js
index c09b4a1b8..de3d3a7dc 100644
--- a/src/trix/models/html_parser.js
+++ b/src/trix/models/html_parser.js
@@ -40,7 +40,13 @@ const blockForAttributes = (attributes = {}, htmlAttributes = {}) => {
 
 const parseTrixDataAttribute = (element, name) => {
   try {
-    return JSON.parse(element.getAttribute(`data-trix-${name}`))
+    const data = JSON.parse(element.getAttribute(`data-trix-${name}`))
+
+    if (data.contentType === "text/html" && data.content) {
+      data.content = HTMLSanitizer.sanitize(data.content).getHTML()
+    }
+
+    return data
   } catch (error) {
     return {}
   }