Skip to content

Commit

Permalink
Sanitize HTML content in data-trix-* attributes
Browse files Browse the repository at this point in the history
Prevents XSS attacks by crafting a malicious HTML content in the
data-trix-* attributes.
  • Loading branch information
afcapel committed May 1, 2024
1 parent 1abe3d2 commit 14bac18
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion src/trix/models/html_parser.js
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,13 @@ const blockForAttributes = (attributes = {}, htmlAttributes = {}) => {

const parseTrixDataAttribute = (element, name) => {
try {
return JSON.parse(element.getAttribute(`data-trix-${name}`))
const data = JSON.parse(element.getAttribute(`data-trix-${name}`))

if (data.contentType === "text/html" && data.content) {
data.content = HTMLSanitizer.sanitize(data.content).getHTML()
}

return data
} catch (error) {
return {}
}
Expand Down

0 comments on commit 14bac18

Please # to comment.