trix icon indicating copy to clipboard operation
trix copied to clipboard
verified publisher icon basecamp

Fix XSS vulnerability on paste

Open afcapel opened this issue 1 year ago • 0 comments

This PR fixes a security vulnerability related to pasting malicious code in a Trix editor. In PR #1149, we added sanitation for Trix attachments with a text/html content type. However, Trix only checks the content type on the paste event's dataTransfer object. As long as the dataTransfer has a content type of text/html, Trix parses its contents and creates an Attachment with them, even if the attachment itself doesn't have a text/html content type. Trix then uses the attachment content to set the attachment element's innerHTML.

This PR introduces a new HTMLSanitizer.setHTML(element, html) method to safely set the innerHTML of an element and then replaces all instances where innerHTML was being directly assigned without sanitation.

Ref.

  • https://github.com/basecamp/trix/pull/1149
  • https://developer.mozilla.org/en-US/docs/Web/API/DataTransfer

afcapel avatar May 28 '24 14:05 afcapel