Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix XSS vulnerability on paste #1156

Merged
merged 2 commits into from
Aug 1, 2024
Merged

Fix XSS vulnerability on paste #1156

merged 2 commits into from
Aug 1, 2024

Conversation

afcapel
Copy link
Contributor

@afcapel afcapel commented May 28, 2024

This PR fixes a security vulnerability related to pasting malicious code in a Trix editor. In PR #1149, we added sanitation for Trix attachments with a text/html content type. However, Trix only checks the content type on the paste event's dataTransfer object. As long as the dataTransfer has a content type of text/html, Trix parses its contents and creates an Attachment with them, even if the attachment itself doesn't have a text/html content type. Trix then uses the attachment content to set the attachment element's innerHTML.

This PR introduces a new HTMLSanitizer.setHTML(element, html) method to safely set the innerHTML of an element and then replaces all instances where innerHTML was being directly assigned without sanitation.

Ref.

@jorgemanrubia jorgemanrubia merged commit 7656f57 into main Aug 1, 2024
3 checks passed
@jorgemanrubia jorgemanrubia deleted the paste-vuln branch August 1, 2024 08:51
djmb added a commit that referenced this pull request Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants