Strip HTML comments in data attributes

basecamp · Dec 12, 2024 · 40d7a06 · 40d7a06
1 parent 32b0431
commit 40d7a06
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 5 deletions.
diff --git a/src/test/unit/html_sanitizer_test.js b/src/test/unit/html_sanitizer_test.js
@@ -27,6 +27,20 @@ testGroup("HTMLSanitizer", () => {
       assert.equal(document, expectedHTML)
     })
   })
+
+  test("strips HTML comments", () => {
+    const html = "<div><!-- --></div>"
+    const expectedHTML = "<div></div>"
+    const document = HTMLSanitizer.sanitize(html).body.innerHTML
+    assert.equal(document, expectedHTML)
+  })
+
+  test("strips HTML comments in attributes", () => {
+    const html = "<div data-trix-attachment=\"<!-- -->\"></div>"
+    const expectedHTML = "<div data-trix-attachment=\"\"></div>"
+    const document = HTMLSanitizer.sanitize(html).body.innerHTML
+    assert.equal(document, expectedHTML)
+  })
 })
 
 const withDOMPurifyConfig = (attrConfig = {}, fn) => {

diff --git a/src/trix/models/html_sanitizer.js b/src/trix/models/html_sanitizer.js
@@ -69,9 +69,6 @@ export default class HTMLSanitizer extends BasicObject {
             this.sanitizeElement(node)
           }
           break
-        case Node.COMMENT_NODE:
-          nodesToRemove.push(node)
-          break
       }
     }
 
@@ -124,8 +121,8 @@ export default class HTMLSanitizer extends BasicObject {
 }
 
 const createBodyElementForHTML = function(html = "") {
-  // Remove everything after </html>
-  html = html.replace(/<\/html[^>]*>[^]*$/i, "</html>")
+  // Remove everything after </html> and HTML comments
+  html = html.replace(/<\/html[^>]*>[^]*$/i, "</html>").replace(/(<!--.*?-->)/g, "")
   const doc = document.implementation.createHTMLDocument("")
   doc.documentElement.innerHTML = html