Don't drop inner content of forbidden tags

mamhoff · Jan 22, 2024 · 109efe9 · 109efe9
1 parent b59edc6
commit 109efe9
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 8 deletions.
diff --git a/app/assets/javascripts/alchemy/alchemy.link_dialog.js.coffee b/app/assets/javascripts/alchemy/alchemy.link_dialog.js.coffee
@@ -129,10 +129,11 @@ class window.Alchemy.LinkDialog extends Alchemy.Dialog
 
   # Sets the link either in TinyMCE or on an Ingredient.
   setLink: (url, title, target) ->
+    trimmedUrl = url.trim()
     if @link_object.editor
-      @setTinyMCELink(url, title, target)
+      @setTinyMCELink(trimmedUrl, title, target)
     else
-      @link_object.setLink(url, title, target, @link_type)
+      @link_object.setLink(trimmedUrl, title, target, @link_type)
     return
 
   # Sets a link in TinyMCE editor.

diff --git a/lib/alchemy/scrubbers/safe_list.rb b/lib/alchemy/scrubbers/safe_list.rb
@@ -13,7 +13,9 @@ def initialize(config)
 
       def scrub(node)
         return CONTINUE if sanitize(node) == CONTINUE
-
+        if Loofah::HTML5::Scrub.allowed_element?(node.name)
+          node.before(node.children)
+        end
         node.remove
         STOP
       end

diff --git a/spec/libraries/alchemy/scrubbers/safe_list_spec.rb b/spec/libraries/alchemy/scrubbers/safe_list_spec.rb
@@ -12,31 +12,58 @@
     context "with a tag that is not allowed" do
       let(:html) { "<script> console.log('oops') </script>" }
 
-      it { is_expected.to eq("") }
+      it "removes the tag" do
+        is_expected.to eq("")
+      end
+    end
+
+    context "with an iframe" do
+      let(:html) { "<iframe> myframe </iframe>" }
+
+      it "removes the tag" do
+        is_expected.to eq("")
+      end
     end
 
     context "with an allowed tag" do
       let(:html) { "<p>Some text</p>" }
 
-      it { is_expected.to eq(html) }
+      it "does not remove the tag" do
+        is_expected.to eq(html)
+      end
     end
 
     context "with an allowed attribute" do
       let(:html) { "<p class=\"pretty\">Some text</p>" }
 
-      it { is_expected.to eq(html) }
+      it "does not remove the attribute" do
+        is_expected.to eq(html)
+      end
     end
 
     context "with a disallowed attribute" do
       let(:html) { "<p style='color: red;'>Some text</p>" }
 
-      it { is_expected.to eq("<p>Some text</p>") }
+      it "removes the attribute" do
+        is_expected.to eq("<p>Some text</p>")
+      end
     end
 
     context "with a link with a space in the href" do
       let(:html) { "<a href=\"/hello/ \">Hello!</a>" }
 
-      it { is_expected.to eq(html) }
+      it "does not escape the trailing whitespace" do
+        is_expected.to eq(html)
+      end
+    end
+
+    context "with a node nested in a disallowed node" do
+      let(:config) { {safe_tags: ["a"]} }
+      let(:html) { "<h1><a href=\"/hello/ \">Hello!</a></h1>" }
+
+      it "keeps the nested node" do
+        is_expected.to eq("<a href=\"/hello/ \">Hello!</a>")
+      end
     end
   end
 end