From 1abe3d27ee66135d7e759632f834cde9d36a1696 Mon Sep 17 00:00:00 2001 From: Lewis Buckley Date: Fri, 26 Apr 2024 14:49:01 +0100 Subject: [PATCH 1/2] Test attachment content is sanitized --- src/test/system/pasting_test.js | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/test/system/pasting_test.js b/src/test/system/pasting_test.js index 8bcb9f642..fa9891c6d 100644 --- a/src/test/system/pasting_test.js +++ b/src/test/system/pasting_test.js @@ -104,6 +104,21 @@ testGroup("Pasting", { template: "editor_empty" }, () => { delete window.unsanitized }) + test("paste data-trix-attachment unsafe html", async () => { + window.unsanitized = [] + const pasteData = { + "text/plain": "x", + "text/html": `\ + copy
me + `, + } + + await pasteContent(pasteData) + await delay(20) + assert.deepEqual(window.unsanitized, []) + delete window.unsanitized + }) + test("prefers plain text when html lacks formatting", async () => { const pasteData = { "text/html": "a\nb", From 14bac183313e5fb0ea61eafae4eed5de84848d10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alberto=20Fern=C3=A1ndez-Capel?= Date: Wed, 1 May 2024 14:50:29 +0100 Subject: [PATCH 2/2] Sanitize HTML content in data-trix-* attributes Prevents XSS attacks by crafting a malicious HTML content in the data-trix-* attributes. --- src/trix/models/html_parser.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/trix/models/html_parser.js b/src/trix/models/html_parser.js index c09b4a1b8..de3d3a7dc 100644 --- a/src/trix/models/html_parser.js +++ b/src/trix/models/html_parser.js @@ -40,7 +40,13 @@ const blockForAttributes = (attributes = {}, htmlAttributes = {}) => { const parseTrixDataAttribute = (element, name) => { try { - return JSON.parse(element.getAttribute(`data-trix-${name}`)) + const data = JSON.parse(element.getAttribute(`data-trix-${name}`)) + + if (data.contentType === "text/html" && data.content) { + data.content = HTMLSanitizer.sanitize(data.content).getHTML() + } + + return data } catch (error) { return {} }