Merge pull request #52093 from p8/actiontext/fix-remote-image-preview

Only sanitize `content` attribute when present in attachments

actiontext/CHANGELOG.md

@@ -1,3 +1,8 @@
+*   Only sanitize `content` attribute when present in attachments.
+
+    *Petrik de Heus*
+
+
 ## Rails 7.1.3.4 (June 04, 2024) ##
 
 *   Sanitize ActionText HTML ContentAttachment in Trix edit view

actiontext/lib/action_text/content.rb

@@ -94,7 +94,9 @@ def append_attachables(attachables)
 
     def render_attachments(**options, &block)
       content = fragment.replace(ActionText::Attachment.tag_name) do |node|
-        node["content"] = sanitize_content_attachment(node["content"])
+        if node.key? "content"
+          node["content"] = sanitize_content_attachment(node["content"])
+        end
         block.call(attachment_for_node(node, **options))
       end
       self.class.new(content, canonicalize: false)

actiontext/test/unit/content_test.rb

@@ -158,6 +158,18 @@ class ActionText::ContentTest < ActiveSupport::TestCase
     ActionText::ContentHelper.allowed_attributes = old_attrs
   end
 
+  test "sanitizes attachment markup for Trix" do
+    html = '<action-text-attachment content="<img src=\&quot;.\&quot; onerror=alert>"></action-text-attachment>'
+    trix_html = '<figure data-trix-attachment="{&quot;content&quot;:&quot;<img src=\\&quot;\\\\%22.\\\\%22\\&quot;>&quot;}"></figure>'
+    assert_equal trix_html, content_from_html(html).to_trix_html.strip
+  end
+
+  test "does not add missing content attribute" do
+    html = '<action-text-attachment sgid="123"></action-text-attachment>'
+    trix_html = '<figure data-trix-attachment="{&quot;sgid&quot;:&quot;123&quot;}"></figure>'
+    assert_equal trix_html, content_from_html(html).to_trix_html.strip
+  end
+
   test "renders with layout when in a new thread" do
     html = "<h1>Hello world</h1>"
     rendered = nil