Skip to content

Commit

Permalink
Backport fix for CVE-2024-34341 to v1.3
Browse files Browse the repository at this point in the history
  • Loading branch information
afcapel committed May 14, 2024
1 parent d7647ae commit 542a4f1
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 2 deletions.
7 changes: 6 additions & 1 deletion src/trix/models/html_parser.coffee
Original file line number Diff line number Diff line change
Expand Up @@ -238,7 +238,12 @@ class Trix.HTMLParser extends Trix.BasicObject

parseTrixDataAttribute = (element, name) ->
try
JSON.parse(element.getAttribute("data-trix-#{name}"))
data = JSON.parse(element.getAttribute("data-trix-#{name}"))

if data.contentType == "text/html" and data.content
data.content = HTMLSanitizer.sanitize(data.content).getHTML()

data
catch
{}

Expand Down
2 changes: 1 addition & 1 deletion src/trix/models/html_sanitizer.coffee
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
class Trix.HTMLSanitizer extends Trix.BasicObject
DEFAULT_ALLOWED_ATTRIBUTES = "style href src width height class".split(" ")
DEFAULT_FORBIDDEN_PROTOCOLS = "javascript:".split(" ")
DEFAULT_FORBIDDEN_ELEMENTS = "script iframe".split(" ")
DEFAULT_FORBIDDEN_ELEMENTS = "script iframe noscript".split(" ")

@sanitize: (html, options) ->
sanitizer = new this html, options
Expand Down
24 changes: 24 additions & 0 deletions test/src/system/pasting_test.coffee
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,30 @@ testGroup "Pasting", template: "editor_empty", ->
delete window.unsanitized
done()

test "paste unsafe html with noscript", (done) ->
window.unsanitized = []
pasteData =
"text/plain": "x",
"text/html": "<div><noscript><div class=\"123</noscript>456<img src=1 onerror=window.unsanitized.push(1)//\"></div></noscript></div>"

pasteContent pasteData, () ->
after 20, () ->
assert.deepEqual(window.unsanitized, [])
delete window.unsanitized
done()

test "paste data-trix-attachment unsafe html", (done) ->
window.unsanitized = []
pasteData =
"text/plain": "x",
"text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=window.unsanitized.push(1)&gt;HELLO123&quot;}\"></div>me"

pasteContent pasteData, ->
after 20, ->
assert.deepEqual window.unsanitized, []
delete window.unsanitized
done()

test "prefers plain text when html lacks formatting", (expectDocument) ->
pasteData =
"text/html": "<meta charset='utf-8'>a\nb"
Expand Down

0 comments on commit 542a4f1

Please sign in to comment.