e9cb2956ee
Remove data-action from the sanitizer allowlist to disallow injection of potentially malicious Stimulus actions in user-provided content. The lightbox controller now uses imageTarget callbacks to handle clicks on image links. Also add the file name as a caption in the light box, and fix the caption color for dark mode visibility.
16 lines
466 B
Ruby
16 lines
466 B
Ruby
require "test_helper"
|
|
|
|
class ActionTextRenderingTest < ActionView::TestCase
|
|
test "data-action attributes in user content are stripped" do
|
|
malicious_html = <<~HTML
|
|
<p>Click here: <a href="#" data-action="dangerous#action">malicious link</a></p>
|
|
HTML
|
|
|
|
content = ActionText::Content.new(malicious_html)
|
|
rendered = content.to_s
|
|
|
|
assert_no_match(/data-action/, rendered)
|
|
assert_match(/<a href="#">malicious link<\/a>/, rendered)
|
|
end
|
|
end
|