Backport CVE-2024-34341 fixes to v1.3

.github/workflows/ci.yml

@@ -13,7 +13,7 @@ jobs:
         bundler-cache: true
     - uses: actions/setup-node@v2-beta
       with:
-        node-version: 11
+        node-version: 16
     - uses: actions/cache@v2
       with:
         path: test/node_modules

.ruby-version

@@ -1 +1 @@
-2.3.4
+2.7.6

Gemfile.lock

@@ -1,61 +1,70 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (5.0.0.1)
+    activesupport (7.1.3.2)
+      base64
+      bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (~> 0.7)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
+      connection_pool (>= 2.2.5)
+      drb
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      mutex_m
+      tzinfo (~> 2.0)
     addressable (2.4.0)
-    blade (0.7.0)
+    base64 (0.2.0)
+    bigdecimal (3.1.8)
+    blade (0.7.3)
       activesupport (>= 3.0.0)
-      blade-qunit_adapter (~> 2.0.1)
+      blade-qunit_adapter (>= 2.0.1)
       coffee-script
       coffee-script-source
-      curses (~> 1.0.0)
+      curses (>= 1.4.0)
       eventmachine
       faye
       sprockets (>= 3.0)
       thin (>= 1.6.0)
-      thor (~> 0.19.1)
-      useragent (~> 0.16.7)
+      thor (>= 0.19.1)
+      useragent (>= 0.16.7)
     blade-qunit_adapter (2.0.1)
     coffee-script (2.4.1)
       coffee-script-source
       execjs
     coffee-script-source (1.9.3)
     concurrent-ruby (1.0.2)
-    cookiejar (0.3.3)
-    curses (1.0.2)
-    daemons (1.2.4)
+    connection_pool (2.4.1)
+    cookiejar (0.3.4)
+    curses (1.4.5)
+    daemons (1.4.1)
     descendants_tracker (0.0.4)
       thread_safe (~> 0.3, >= 0.3.1)
+    drb (2.2.1)
     eco (1.0.0)
       coffee-script
       eco-source
       execjs
     eco-source (1.1.0.rc.1)
-    em-http-request (1.1.5)
+    em-http-request (1.1.7)
       addressable (>= 2.3.4)
       cookiejar (!= 0.3.1)
       em-socksify (>= 0.3)
       eventmachine (>= 1.0.3)
       http_parser.rb (>= 0.6.0)
-    em-socksify (0.3.1)
+    em-socksify (0.3.2)
       eventmachine (>= 1.0.0.beta.4)
-    eventmachine (1.2.1)
+    eventmachine (1.2.7)
     execjs (2.7.0)
     faraday (0.9.2)
       multipart-post (>= 1.2, < 3)
-    faye (1.2.3)
+    faye (1.4.0)
       cookiejar (>= 0.3.0)
-      em-http-request (>= 0.3.0)
+      em-http-request (>= 1.1.6)
       eventmachine (>= 0.12.0)
-      faye-websocket (>= 0.9.1)
+      faye-websocket (>= 0.11.0)
       multi_json (>= 1.0.0)
       rack (>= 1.0.0)
       websocket-driver (>= 0.5.1)
-    faye-websocket (0.10.5)
+    faye-websocket (0.11.3)
       eventmachine (>= 0.12.0)
       websocket-driver (>= 0.5.1)
     github_api (0.13.1)
@@ -66,14 +75,16 @@ GEM
       multi_json (>= 1.7.5, < 2.0)
       oauth2
     hashie (3.5.6)
-    http_parser.rb (0.6.0)
-    i18n (0.7.0)
-    json (2.0.2)
+    http_parser.rb (0.8.0)
+    i18n (1.14.5)
+      concurrent-ruby (~> 1.0)
+    json (2.7.2)
     jwt (1.5.6)
-    minitest (5.9.1)
+    minitest (5.22.3)
     multi_json (1.12.1)
     multi_xml (0.6.0)
     multipart-post (2.0.0)
+    mutex_m (0.2.0)
     oauth2 (1.4.0)
       faraday (>= 0.8, < 0.13)
       jwt (~> 1.0)
@@ -87,21 +98,21 @@ GEM
       rack (> 1, < 3)
     sprockets-export (1.0.0)
     sprockets-svgo (0.2.0)
-    thin (1.7.0)
+    thin (1.8.2)
       daemons (~> 1.0, >= 1.0.9)
       eventmachine (~> 1.0, >= 1.0.4)
       rack (>= 1, < 3)
-    thor (0.19.4)
+    thor (1.3.1)
     thread_safe (0.3.5)
-    tzinfo (1.2.2)
-      thread_safe (~> 0.1)
+    tzinfo (2.0.6)
+      concurrent-ruby (~> 1.0)
     uglifier (2.5.1)
       execjs (>= 0.3.0)
       json (>= 1.8.0)
-    useragent (0.16.8)
-    websocket-driver (0.6.4)
+    useragent (0.16.10)
+    websocket-driver (0.7.6)
       websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.2)
+    websocket-extensions (0.1.5)
 
 PLATFORMS
   ruby
@@ -119,4 +130,4 @@ DEPENDENCIES
   uglifier
 
 BUNDLED WITH
-   1.16.1
+   2.3.8

src/trix/models/html_parser.coffee

@@ -238,7 +238,12 @@ class Trix.HTMLParser extends Trix.BasicObject
 
   parseTrixDataAttribute = (element, name) ->
     try
-     JSON.parse(element.getAttribute("data-trix-#{name}"))
+      data = JSON.parse(element.getAttribute("data-trix-#{name}"))
+
+      if data.contentType == "text/html" and data.content
+        data.content = HTMLSanitizer.sanitize(data.content).getHTML()
+
+      data
     catch
       {}
 

src/trix/models/html_sanitizer.coffee

@@ -3,7 +3,7 @@
 class Trix.HTMLSanitizer extends Trix.BasicObject
   DEFAULT_ALLOWED_ATTRIBUTES = "style href src width height class".split(" ")
   DEFAULT_FORBIDDEN_PROTOCOLS = "javascript:".split(" ")
-  DEFAULT_FORBIDDEN_ELEMENTS = "script iframe".split(" ")
+  DEFAULT_FORBIDDEN_ELEMENTS = "script iframe noscript".split(" ")
 
   @sanitize: (html, options) ->
     sanitizer = new this html, options

test/karma.conf.js

@@ -32,72 +32,41 @@ if (process.env.CI) {
     sl_chrome_latest: {
       base: "SauceLabs",
       browserName: "chrome",
-      platform: "Windows 10",
-      version: "latest"
-    },
-    sl_firefox_latest: {
-      base: "SauceLabs",
-      browserName: "firefox",
-      platform: "Windows 10",
       version: "latest"
     },
-    sl_safari_previous: {
+    sl_chrome_latest_i8n: {
       base: "SauceLabs",
-      browserName: "safari",
-      platform: "macOS 10.13",
-      version: "latest-1"
+      browserName: "chrome",
+      version: "latest",
+      chromeOptions: {
+        args: [ "--lang=tr" ]
+      }
     },
-    sl_safari_latest: {
+    sl_safari_12_1: {
       base: "SauceLabs",
       browserName: "safari",
       platform: "macOS 10.13",
-      version: "latest"
-    },
-    sl_edge_previous: {
-      base: "SauceLabs",
-      browserName: "microsoftedge",
-      platform: "Windows 10",
-      version: "17.17134"
+      version: "12.1"
     },
     sl_edge_latest: {
       base: "SauceLabs",
       browserName: "microsoftedge",
       platform: "Windows 10",
-      version: "18.17763"
-    },
-    sl_ie_11: {
-      base: "SauceLabs",
-      browserName: "internet explorer",
-      platform: "Windows 8.1",
-      version: "11"
-    },
-    sl_ios_previous: {
-      base: "SauceLabs",
-      browserName: "safari",
-      platform: "ios",
-      device: "iPhone Simulator",
-      version: "11.3"
-    },
-    sl_ios_latest: {
-      base: "SauceLabs",
-      browserName: "safari",
-      platform: "ios",
-      device: "iPhone Simulator",
-      version: "12.0"
+      version: "latest"
     },
-    sl_android_previous: {
+    sl_android_9: {
       base: "SauceLabs",
       browserName: "chrome",
       platform: "android",
       device: "Android GoogleAPI Emulator",
-      version: "7.1"
+      version: "9.0"
     },
     sl_android_latest: {
       base: "SauceLabs",
       browserName: "chrome",
       platform: "android",
       device: "Android GoogleAPI Emulator",
-      version: "8.1"
+      version: "12.0"
     }
   }
 

test/src/system/pasting_test.coffee

@@ -53,6 +53,30 @@ testGroup "Pasting", template: "editor_empty", ->
         delete window.unsanitized
         done()
 
+  test "paste unsafe html with noscript", (done) ->
+    window.unsanitized = []
+    pasteData =
+      "text/plain": "x",
+      "text/html": "<div><noscript><div class=\"123</noscript>456<img src=1 onerror=window.unsanitized.push(1)//\"></div></noscript></div>"
+
+    pasteContent pasteData, () ->
+      after 20, () ->
+        assert.deepEqual(window.unsanitized, [])
+        delete window.unsanitized
+        done()
+
+  test "paste data-trix-attachment unsafe html", (done) ->
+    window.unsanitized = []
+    pasteData =
+      "text/plain": "x",
+      "text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=window.unsanitized.push(1)&gt;HELLO123&quot;}\"></div>me"
+
+    pasteContent pasteData, ->
+      after 20, ->
+        assert.deepEqual window.unsanitized, []
+        delete window.unsanitized
+        done()
+
   test "prefers plain text when html lacks formatting", (expectDocument) ->
     pasteData =
       "text/html": "<meta charset='utf-8'>a\nb"