Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Version 2.1.1 is removing the img from previews #1158

Closed
xdmx opened this issue Jun 11, 2024 · 4 comments
Closed

Version 2.1.1 is removing the img from previews #1158

xdmx opened this issue Jun 11, 2024 · 4 comments

Comments

@xdmx
Copy link

xdmx commented Jun 11, 2024

I've upgraded from v1 to v2.1.1 together with a bunch of other dependencies (including rails 7.1.3.4) and migrated back to a vanilla Trix (before I had a Stimulus controller to add color pickers).

I've noticed that I can upload images and they show the preview, but when I go back to the form and the rich text loads the preview doesn't contain the img tag anymore

I've tried to downgrade just rails to 7.1.3.3 and trix to 2.1.0 and retried and the preview and the img tag shows up. Could it be that the sanitize added in #1149 is removing the img tag (the figure and caption are there, just the img is missing)?

The content of the trix-editor:

<div><!--block-->Test
  text<br><span data-trix-cursor-target="left" data-trix-serialize="false"></span>
  <figure contenteditable="false" data-trix-attachment="{&quot;content&quot;:&quot;&quot;,&quot;contentType&quot;:&quot;image/png&quot;,&quot;filename&quot;:&quot;ad3.png&quot;,&quot;filesize&quot;:9996,&quot;height&quot;:60,&quot;previewable&quot;:true,&quot;sgid&quot;:&quot;eyJfcmFpbHMiOnsiZGF0YSI6ImdpZDovL2NyZWF0b3ItbWV0cmljcy9BY3RpdmVTdG9yYWdlOjpCbG9iLzE1P2V4cGlyZXNfaW4iLCJwdXIiOiJhdHRhY2hhYmxlIn19--47d460736d7b19b7934636273a0188f8d920fd4c&quot;,&quot;url&quot;:&quot;http://localhost:3000/rails/active_storage/blobs/redirect/eyJfcmFpbHMiOnsiZGF0YSI6MTUsInB1ciI6ImJsb2JfaWQifX0=--cfe5343ec00fb9c6bcacf2e28ee761c24556939f/ad3.png&quot;,&quot;width&quot;:268}" data-trix-content-type="image/png" data-trix-id="9543" data-trix-attributes="{&quot;caption&quot;:&quot;Test caption&quot;,&quot;presentation&quot;:&quot;gallery&quot;}" class="attachment attachment--content attachment--png">
    <figcaption class="attachment__caption attachment__caption--edited">Test
      caption
    </figcaption>
  </figure>
  <span data-trix-cursor-target="right" data-trix-serialize="false"></span>
</div>
Steps to Reproduce
  1. add a rich text and upload an image
  2. save the record
  3. go back to editing the record
  4. the preview doesn't show up
Details
  • Trix version: 2.1.1
  • Browser name and version: firefox/chrome/opera
  • Operating system: linux
@gando001
Copy link

gando001 commented Jun 11, 2024

Hi @xdmx I am having the same issue with 7.1.3.4 and Trix 2.1.1. I noticed that Trix 2.1.1 displays the image preview when using action text 7.1.3.3.

Recently the rails team released a security patch for XSS rails/rails@v7.1.3.3...v7.1.3.4 and they added this code which I think introduces the issue.

def sanitize_content_attachment(content_attachment)
  sanitizer.sanitize(
    content_attachment,
    tags: sanitizer_allowed_tags,
    attributes: sanitizer_allowed_attributes,
    scrubber: scrubber,
  )
end

'img' still appears in the sanitizer_allowed_tags list so I am unsure why it's being removed

@xdmx
Copy link
Author

xdmx commented Jun 11, 2024

@gando001 you're totally right, I've upgraded back just to trick 2.1.1 and it's working, so it's definitely because of that rails change, I'm going to close this and report it there (:man_facepalming:)

@xdmx xdmx closed this as completed Jun 11, 2024
@gando001
Copy link

gando001 commented Jun 11, 2024

Thanks @xdmx that would be very helpful. I’m still unable to figure out where the issue is or how to fix it

@ghiculescu
Copy link

This was fixed in rails/rails#52093

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants