Sanitize ActionText HTML ContentAttachment in Trix edit view

fresh-eggs · tenderlove · commit e215bf3360e6 · 2024-06-04T10:08:12.000-07:00
[CVE-2024-32464] Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This could lead to a potential cross site scripting issue within the Trix editor. This change enforces existing sanitization routines on ActionText::Attachable::ContentAttachment attachments.
diff --git a/actiontext/app/helpers/action_text/content_helper.rb b/actiontext/app/helpers/action_text/content_helper.rb
@@ -16,6 +16,15 @@ def render_action_text_content(content)
       sanitize_action_text_content(render_action_text_attachments(content))
     end
 
+    def sanitize_content_attachment(content_attachment)
+      sanitizer.sanitize(
+        content_attachment,
+        tags: sanitizer_allowed_tags,
+        attributes: sanitizer_allowed_attributes,
+        scrubber: scrubber,
+      )
+    end
+
     def sanitize_action_text_content(content)
       sanitizer.sanitize(
         content.to_html,
diff --git a/actiontext/lib/action_text/content.rb b/actiontext/lib/action_text/content.rb
@@ -22,7 +22,7 @@ module ActionText
   #     body.to_s # => "<h1>Funny times!</h1>"
   #     body.to_plain_text # => "Funny times!"
   class Content
-    include Rendering, Serialization
+    include Rendering, Serialization, ContentHelper
 
     attr_reader :fragment
 
@@ -97,6 +97,7 @@ def append_attachables(attachables)
 
     def render_attachments(**options, &block)
       content = fragment.replace(ActionText::Attachment.tag_name) do |node|
+        node["content"] = sanitize_content_attachment(node["content"])
         block.call(attachment_for_node(node, **options))
       end
       self.class.new(content, canonicalize: false)
diff --git a/actiontext/test/unit/attachment_test.rb b/actiontext/test/unit/attachment_test.rb
@@ -79,6 +79,15 @@ class ActionText::AttachmentTest < ActiveSupport::TestCase
     end
   end
 
+  test "sanitizes HTML content attachment" do
+    attachment = attachment_from_html('<action-text-attachment content-type="text/html" content="<img src=\&quot;.\&quot; onerror=alert>"></action-text-attachment>')
+    attachable = attachment.attachable
+
+    ActionText::Content.with_renderer MessagesController.renderer do
+      assert_equal "<img src=\"\\%22.\\%22\">", attachable.to_html.strip
+    end
+  end
+
   test "defaults trix partial to model partial" do
     attachable = Page.create! title: "Homepage"
     assert_equal "pages/page", attachable.to_trix_content_attachment_partial_path
