Comments (9)
p8
commented on June 27, 2024
1
You could try explicitly unsetting the content attribute:
if node.key? "content"
node["content"] = sanitize_content_attachment(node["content"])
end
# Add this line to unset it:
node.delete("content") if node["content"].blank?rails/actiontext/lib/action_text/content.rb
Lines 100 to 102 in 52c21f9
from rails.
rafaelfranca
commented on June 27, 2024
Were you able to see the difference of the content saved to the database in each version?
from rails.
apmiller108
commented on June 27, 2024
I'm seeing the same thing after upgrading to 7.1.3.4. As far as I can tell the img tags are being striped out of the rendered content despited the tag being included in the ActionText::ContentHelper.sanitizer.class.allowed_tags. I've only tried to debug this a bit, but the issue appears to be with this change: v7.1.3.3...v7.1.3.4#diff-2845a2dd736db0371741dbae62c17e7fd997c7df8e66596020cff068f456854aR97
from rails.
rafaelfranca
commented on June 27, 2024
That change is the security fix, it should not remove the img tags, but it should remove attributes of the tags that can be used to execute JavaScript.
This test here show the img tag stays there v7.1.3.3...v7.1.3.4#diff-ed3b3d0b222a44b26a29f21855ab7e60b6418d4917a4a312fb43e50b0572730aR83
from rails.
maxwell
commented on June 27, 2024
Thanks for the quick reply.
The closest I got to the database changes i could find in that "working" previews seem to NOT have a blank "content" key in full_attributes.
Broken Preview Attachment
{"sgid"=>
"eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaEpJanBuYVdRNkx5OWlZV05yWlhKcmFYUXZRV04wYVhabFUzUnZjbUZuWlRvNlFteHZZaTh4TkRrM05qUV9aWGh3YVhKbGMxOXBiZ1k2QmtWVSIsImV4cCI6bnVsbCwicHVyIjoiYXR0YWNoYWJsZSJ9fQ==--79c8acad3bccbbccf94f76b3adb7ac93f9be339b",
"content_type"=>"image/png",
"url"=>
"http://www.backerkit.test/rails/active_storage/blobs/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBd1JKQWc9PSIsImV4cCI6bnVsbCwicHVyIjoiYmxvYl9pZCJ9fQ==--0e9dd2a28e88239c490d2dcd558c2ab73ce0e276/max%20edit.png",
"filename"=>"max edit.png",
"filesize"=>564421,
"width"=>"6330",
"height"=>"2521",
"previewable"=>true,
"presentation"=>"gallery",
"caption"=>"uploaded on .3",
"content"=>""}
full_attributes created on a fresh, native 7.1.3.4 attachment
{"sgid"=>
"eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaEpJanBuYVdRNkx5OWlZV05yWlhKcmFYUXZRV04wYVhabFUzUnZjbUZuWlRvNlFteHZZaTh4TkRrM05qWV9aWGh3YVhKbGMxOXBiZ1k2QmtWVSIsImV4cCI6bnVsbCwicHVyIjoiYXR0YWNoYWJsZSJ9fQ==--f5cfc60a65c7e05886ba5a3bc0e1800901b825f4",
"content_type"=>"image/png",
"url"=>
"http://www.backerkit.test/rails/active_storage/blobs/redirect/eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaHBBd1pKQWc9PSIsImV4cCI6bnVsbCwicHVyIjoiYmxvYl9pZCJ9fQ==--7d9ab5dbe5f4c5026a324dc33a3dbb54b13c9960/max%20edit.png",
"filename"=>"max edit.png",
"filesize"=>564421,
"width"=>"6330",
"height"=>"2521",
"previewable"=>true,
"presentation"=>"gallery"}
Unfortunately, I couldn't find where the list of these keys would be stored the ActionText object hierarchy in the database exactly.
from rails.
maxwell
commented on June 27, 2024
I think maybe there is a related issue that the content being present is somehow excaping the wrong thing, or sanitizing with a different set of sanitizers, hence the img getting stripped out.
from rails.
tobiasrohloff
commented on June 27, 2024
We experience the same issue and can confirm it was introduced in 1ac6d40. Probably #52093 provides a fix?
from rails.
philipithomas
commented on June 27, 2024
I'm hitting this issue, too
from rails.
philipithomas
commented on June 27, 2024
Here's what I see between a broken and working attachment:
irb(main):037> working_post.body.body.attachments.first.full_attributes
=>
{"sgid"=>
"eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaEpJalJuYVdRNkx5OWlhMngwTDBGamRHbDJaVk4wYjNKaFoyVTZPa0pzYjJJdk1UUTVPRFFfWlhod2FYSmxjMTlwYmdZNkJrVlUiLCJleHAiOm51bGwsInB1ciI6ImF0dGFjaGFibGUifX0=--d57d592036b4c7c8ee6252618872855347ee62a0",
"content_type"=>"image/png",
"url"=>
"WORKING URL",
"filename"=>"Screenshot 2024-06-17 at 13.46.11.png",
"filesize"=>378036,
"width"=>2488,
"height"=>1832,
"previewable"=>true,
"presentation"=>"gallery"}
irb(main):038> broken_post.body.body.attachments.first.full_attributes
=>
{"sgid"=>
"eyJfcmFpbHMiOnsibWVzc2FnZSI6IkJBaEpJalJuYVdRNkx5OWlhMngwTDBGamRHbDJaVk4wYjNKaFoyVTZPa0pzYjJJdk1UUTROVGtfWlhod2FYSmxjMTlwYmdZNkJrVlUiLCJleHAiOm51bGwsInB1ciI6ImF0dGFjaGFibGUifX0=--566de2b594249c1b729b6af0ae745768042c8924",
"content_type"=>"image/png",
"url"=>
"URL THAT 404s",
"filename"=>"Screenshot 2024-06-10 at 15.43.05.png",
"filesize"=>"182611",
"width"=>"1738",
"height"=>"738",
"presentation"=>"gallery",
"content"=>""}
The blank content is the obvious problem.
It's suspicious to me that the filesize goes from an int to a string, too
Edit: one other clue is that embeds aren't being detected
irb(main):004> broken_post.body.embeds.size
=> 0
irb(main):005> working_post.body.embeds.size
=> 4
from rails.
Related Issues (20)
- Incorrect `has_many through` load with custom association name and custom keys type
- Demo video on home page doesn't work as demo'd HOT 1
- Infinite loop passing form_builder in partial as local after update to 7.1.3.4 (was 7.0.8.4) HOT 11
- [ActiveRecord] alias_attribute does not work on methods defined in the superclass HOT 3
- Actionview: ArgumentError "Invalid formats" exception with empty invalid_values when additional format gets added after update to Rails 7.1.3.4 HOT 1
- Add a dummy encryption key for ActiveRecord::Encryption
- Empty scaffolding fails rubocop
- Docker Compose file with unusual indentation HOT 1
- ActiveRecord throwing structural incompatibility error if `merge` used for nested joins HOT 2
- Cannot use `root` for two different subdomains
- Safari 17.5-18 IOs TypeError undefined is not a constructor (evaluating 'new o.WebSocket(this.consumer.url,e)') HOT 1
- `where.missing(:association)` broken for composite primary keys HOT 1
- ActiveJob does not use the job locale inside the rescue_from block HOT 2
- Parallelized generator tests fail in race condition because destination is not worker aware HOT 3
- ActionText does not aware of rails_storage_proxy HOT 1
- Define custom URL helpers doesn't list route in /rails/info/routes
- Is loading secret_key_base from environment no longer possible? HOT 2
- Is tutorial wrong?
- Eager load incorrectly sets 'through' associations on child objects HOT 1
- Error message mentions private ActiveStorage::Current.url_options
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rails.