Backport XSS and mutation XSS fix to 1.3

Backport adding DomPurify to Trix 1.3.x. The vendored DOMPurify was created by running the dompurify node modules through Babel to covert to es5 syntax.
basecamp · Dec 9, 2024 · 6c263d2 · 6c263d2
1 parent d342fbf
commit 6c263d2
Show file tree

Hide file tree

Showing 15 changed files with 604 additions and 15 deletions.
diff --git a/.blade.yml b/.blade.yml
@@ -3,6 +3,7 @@ load_paths:
   - test/vendor
   - assets
   - polyfills
+  - vendor
   - src
 
 logical_paths:

diff --git a/assets/trix-core.coffee b/assets/trix-core.coffee
@@ -1,2 +1,3 @@
 #= require trix/banner
 #= require trix/index
+#= require vendor
diff --git a/assets/trix.coffee b/assets/trix.coffee
@@ -1,3 +1,4 @@
 #= require trix/banner
 #= require polyfills
 #= require trix/index
+#= require vendor
diff --git a/bower.json b/bower.json
@@ -23,6 +23,7 @@
     "assets",
     "bin",
     "polyfills",
+    "vendor",
     "src",
     "test",
     "*.md",

diff --git a/dist/trix-core.js b/dist/trix-core.js
diff --git a/dist/trix.js b/dist/trix.js
diff --git a/package.json b/package.json
@@ -23,7 +23,11 @@
     "url": "https://github.com/basecamp/trix/issues"
   },
   "homepage": "https://trix-editor.org/",
+  "dependencies": {
+    "dompurify": "^3.2.0"
+  },
   "devDependencies": {
+    "@babel/preset-env": "^7.26.0",
     "svgo": "^0.6.1"
   }
 }
diff --git a/src/trix/inspector/index.coffee b/src/trix/inspector/index.coffee
@@ -4,6 +4,7 @@
 #= require ./control_element
 #= require_tree ./templates
 #= require_tree ./views
+#= require_tree ./vendor
 
 Trix.Inspector =
   views: []

diff --git a/src/trix/models/html_sanitizer.coffee b/src/trix/models/html_sanitizer.coffee
@@ -25,6 +25,7 @@ class Trix.HTMLSanitizer extends Trix.BasicObject
   sanitize: ->
     @sanitizeElements()
     @normalizeListElementNesting()
+    DOMPurify.sanitize @body, ADD_ATTR: ["language"], RETURN_DOM: true
 
   getHTML: ->
     @body.innerHTML

diff --git a/test/.blade.yml b/test/.blade.yml
@@ -3,6 +3,7 @@ load_paths:
   - vendor
   - ../assets
   - ../polyfills
+  - ../vendor
   - ../src
 
 build:

diff --git a/test/src/system/pasting_test.coffee b/test/src/system/pasting_test.coffee
@@ -77,6 +77,30 @@ testGroup "Pasting", template: "editor_empty", ->
         delete window.unsanitized
         done()
 
+  test "paste data-trix-attachment encoded mathml", (done) ->
+    window.unsanitized = []
+    pasteData =
+      "text/plain": "x",
+      "text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/html5&quot;,&quot;content&quot;:&quot;&lt;math&gt;&lt;mtext&gt;&lt;table&gt;&lt;mglyph&gt;&lt;style&gt;&lt;img src=x onerror=alert()&gt;&lt;/style&gt;XSS POC&quot;}\"></div>me"
+
+    pasteContent pasteData, ->
+      after 20, ->
+        assert.deepEqual window.unsanitized, []
+        delete window.unsanitized
+        done()
+
+  test "paste data-trix-attachment encoded embed", (done) ->
+    window.unsanitized = []
+    pasteData =
+      "text/plain": "x",
+      "text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/html5&quot;,&quot;content&quot;:&quot;&lt;embed src='javascript:alert(1)'&gt;XSS POC&quot;}\"></div>me"
+
+    pasteContent pasteData, ->
+      after 20, ->
+        assert.deepEqual window.unsanitized, []
+        delete window.unsanitized
+        done()
+
   test "prefers plain text when html lacks formatting", (expectDocument) ->
     pasteData =
       "text/html": "<meta charset='utf-8'>a\nb"

diff --git a/vendor/dompurify-banner/index.coffee.erb b/vendor/dompurify-banner/index.coffee.erb
@@ -0,0 +1,3 @@
+###
+<%= depend_on_asset("dompurify-banner.txt").to_s.chomp %>
+###
diff --git a/vendor/dompurify-banner/index.txt.erb b/vendor/dompurify-banner/index.txt.erb
@@ -0,0 +1,4 @@
+DOMPurify 3.2.1
+Copyright © Cure53 and other contributors
+Released under the Apache license 2.0 and Mozilla Public License 2.0
+github.com/cure53/DOMPurify/blob/3.2.1/LICENSE
diff --git a/vendor/dompurify.js b/vendor/dompurify.js
diff --git a/vendor/vendor.coffee b/vendor/vendor.coffee
@@ -0,0 +1,2 @@
+#= require ./dompurify-banner
+#= require ./dompurify
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,6 +3,7 @@ load_paths: @@
       - test/vendor
       - assets
       - polyfills
+      - vendor
       - src
     logical_paths:
@@ Expand Down @@
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		#= require ./dompurify-banner
		#= require ./dompurify