Sanitize HTML content in data-trix-* attributes

Prevents XSS attacks by crafting a malicious HTML content in the data-trix-* attributes.
basecamp · May 1, 2024 · aec8644 · aec8644
1 parent 5ea39c2
commit aec8644
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/src/trix/models/html_parser.js b/src/trix/models/html_parser.js
@@ -40,7 +40,13 @@ const blockForAttributes = (attributes = {}, htmlAttributes = {}) => {
 
 const parseTrixDataAttribute = (element, name) => {
   try {
-    return JSON.parse(element.getAttribute(`data-trix-${name}`))
+    const data = JSON.parse(element.getAttribute(`data-trix-${name}`))
+
+    if (data.contentType === "text/html" && data.content) {
+      data.content = HTMLSanitizer.sanitize(data.content).getHTML()
+    }
+
+    return data
   } catch (error) {
     return {}
   }