Files
fizzy/test/helpers/action_text_rendering_test.rb
Mike Dalessio e9cb2956ee Lightbox uses Stimulus target callbacks instead of data-action
Remove data-action from the sanitizer allowlist to disallow injection
of potentially malicious Stimulus actions in user-provided
content. The lightbox controller now uses imageTarget callbacks to
handle clicks on image links.

Also add the file name as a caption in the light box, and fix the
caption color for dark mode visibility.
2025-12-13 17:06:03 -05:00

16 lines
466 B
Ruby

require "test_helper"
class ActionTextRenderingTest < ActionView::TestCase
test "data-action attributes in user content are stripped" do
malicious_html = <<~HTML
<p>Click here: <a href="#" data-action="dangerous#action">malicious link</a></p>
HTML
content = ActionText::Content.new(malicious_html)
rendered = content.to_s
assert_no_match(/data-action/, rendered)
assert_match(/<a href="#">malicious link<\/a>/, rendered)
end
end