Version 2.1.1 is removing the img from previews

[xdmx]

I've upgraded from v1 to v2.1.1 together with a bunch of other dependencies (including rails 7.1.3.4) and migrated back to a vanilla Trix (before I had a Stimulus controller to add color pickers).

I've noticed that I can upload images and they show the preview, but when I go back to the form and the rich text loads the preview doesn't contain the img tag anymore

I've tried to downgrade just rails to 7.1.3.3 and trix to 2.1.0 and retried and the preview and the img tag shows up. Could it be that the sanitize added in #1149 is removing the img tag (the figure and caption are there, just the img is missing)?

The content of the trix-editor:

<div><!--block-->Test
  text<br><span data-trix-cursor-target="left" data-trix-serialize="false"></span>
  <figure contenteditable="false" data-trix-attachment="{&quot;content&quot;:&quot;&quot;,&quot;contentType&quot;:&quot;image/png&quot;,&quot;filename&quot;:&quot;ad3.png&quot;,&quot;filesize&quot;:9996,&quot;height&quot;:60,&quot;previewable&quot;:true,&quot;sgid&quot;:&quot;eyJfcmFpbHMiOnsiZGF0YSI6ImdpZDovL2NyZWF0b3ItbWV0cmljcy9BY3RpdmVTdG9yYWdlOjpCbG9iLzE1P2V4cGlyZXNfaW4iLCJwdXIiOiJhdHRhY2hhYmxlIn19--47d460736d7b19b7934636273a0188f8d920fd4c&quot;,&quot;url&quot;:&quot;http://localhost:3000/rails/active_storage/blobs/redirect/eyJfcmFpbHMiOnsiZGF0YSI6MTUsInB1ciI6ImJsb2JfaWQifX0=--cfe5343ec00fb9c6bcacf2e28ee761c24556939f/ad3.png&quot;,&quot;width&quot;:268}" data-trix-content-type="image/png" data-trix-id="9543" data-trix-attributes="{&quot;caption&quot;:&quot;Test caption&quot;,&quot;presentation&quot;:&quot;gallery&quot;}" class="attachment attachment--content attachment--png">
    <figcaption class="attachment__caption attachment__caption--edited">Test
      caption
    </figcaption>
  </figure>
  <span data-trix-cursor-target="right" data-trix-serialize="false"></span>
</div>

Steps to Reproduce

1. add a rich text and upload an image
2. save the record
3. go back to editing the record
4. the preview doesn't show up

Details

• Trix version: 2.1.1
• Browser name and version: firefox/chrome/opera
• Operating system: linux

[gando001]

Hi @xdmx I am having the same issue with 7.1.3.4 and Trix 2.1.1. I noticed that Trix 2.1.1 displays the image preview when using action text 7.1.3.3.

Recently the rails team released a security patch for XSS rails/rails@v7.1.3.3...v7.1.3.4 and they added this code which I think introduces the issue.

def sanitize_content_attachment(content_attachment)
  sanitizer.sanitize(
    content_attachment,
    tags: sanitizer_allowed_tags,
    attributes: sanitizer_allowed_attributes,
    scrubber: scrubber,
  )
end

'img' still appears in the sanitizer_allowed_tags list so I am unsure why it's being removed

[xdmx]

@gando001 you're totally right, I've upgraded back just to trick 2.1.1 and it's working, so it's definitely because of that rails change, I'm going to close this and report it there (:man_facepalming:)

[gando001]

Thanks @xdmx that would be very helpful. I’m still unable to figure out where the issue is or how to fix it

[ghiculescu]

This was fixed in rails/rails#52093