Sanitize any attachment whose content type starts with text/html

basecamp · May 28, 2024 · ccf7b20 · ccf7b20
1 parent 0c79bcb
commit ccf7b20
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/src/test/system/pasting_test.js b/src/test/system/pasting_test.js
@@ -109,7 +109,7 @@ testGroup("Pasting", { template: "editor_empty" }, () => {
     const pasteData = {
       "text/plain": "x",
       "text/html": `\
-      copy<div data-trix-attachment="{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=window.unsanitized.push(1)&gt;HELLO123&quot;}"></div>me
+      copy<div data-trix-attachment="{&quot;contentType&quot;:&quot;text/anything&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=window.unsanitized.push(1)&gt;HELLO123&quot;}"></div>me
       `,
     }
 

diff --git a/src/trix/models/html_parser.js b/src/trix/models/html_parser.js
@@ -42,7 +42,7 @@ const parseTrixDataAttribute = (element, name) => {
   try {
     const data = JSON.parse(element.getAttribute(`data-trix-${name}`))
 
-    if (data.contentType === "text/html" && data.content) {
+    if (data.content) {
       data.content = HTMLSanitizer.sanitize(data.content).getHTML()
     }