Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Fix XSS vulnerability on paste #1156

Merged
merged 2 commits into from
Aug 1, 2024
Merged

Fix XSS vulnerability on paste #1156

merged 2 commits into from
Aug 1, 2024

Conversation

afcapel
Copy link
Contributor

@afcapel afcapel commented May 28, 2024
edited
Loading

This PR fixes a security vulnerability related to pasting malicious code in a Trix editor. In PR #1149, we added sanitation for Trix attachments with a text/html content type. However, Trix only checks the content type on the paste event's dataTransfer object. As long as the dataTransfer has a content type of text/html, Trix parses its contents and creates an Attachment with them, even if the attachment itself doesn't have a text/html content type. Trix then uses the attachment content to set the attachment element's innerHTML.

This PR introduces a new HTMLSanitizer.setHTML(element, html) method to safely set the innerHTML of an element and then replaces all instances where innerHTML was being directly assigned without sanitation.

Ref.

@jorgemanrubia jorgemanrubia merged commit 7656f57 into main Aug 1, 2024
3 checks passed
@jorgemanrubia jorgemanrubia deleted the paste-vuln branch August 1, 2024 08:51
@ginodalsasso ginodalsasso mentioned this pull request Sep 15, 2024
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@afcapel @jorgemanrubia