FIX: Apply 'allowed_href_schemes' to all src/srcset attributes (#16860)

Previously we were only applying the restriction to `a[href]` and `img[src]`. This commit ensures we apply the same logic to all allowlisted media src attributes.
2025-02-25 18:55:32 -06:00 · 2022-05-19 11:18:30 +01:00
parent 95c85a278e
commit 166fe3bb34
3 changed files with 76 additions and 7 deletions
--- a/app/assets/javascripts/pretty-text/addon/sanitizer.js
+++ b/app/assets/javascripts/pretty-text/addon/sanitizer.js
@@ -41,6 +41,38 @@ export function hrefAllowed(href, extraHrefMatchers) {
  }
 }

+function sanitizeMediaSrc(tag, attrName, value, extraHrefMatchers) {
+  const srcAttrs = {
+    img: ["src"],
+    source: ["src", "srcset"],
+    track: ["src"],
+  };
+
+  if (!srcAttrs[tag]?.includes(attrName)) {
+    return;
+  }
+
+  if (value.startsWith("data:image")) {
+    return attr(attrName, value);
+  }
+
+  if (attrName === "srcset") {
+    const srcset = value.split(",").map((v) => v.split(" ", 2));
+    const sanitizedValue = srcset
+      .map((src) => {
+        const allowedSrc = hrefAllowed(src[0], extraHrefMatchers);
+        if (allowedSrc) {
+          return src[1] ? `${allowedSrc} ${src[1]}` : allowedSrc;
+        }
+      })
+      .join(",");
+    return attr(attrName, sanitizedValue);
+  } else {
+    const returnVal = hrefAllowed(value, extraHrefMatchers);
+    return attr(attrName, returnVal);
+  }
+}
+
 function testDataAttribute(forTag, name, value) {
  return Object.keys(forTag).find((k) => {
    const nameWithMatcher = `^${k.replace(/\*$/, "\\w+?")}`;
@@ -94,10 +126,6 @@ export function sanitize(text, allowLister) {
          (tag === "a" &&
            name === "href" &&
            hrefAllowed(value, extraHrefMatchers)) ||
-          (tag === "img" &&
-            name === "src" &&
-            (/^data:image.*$/i.test(value) ||
-              hrefAllowed(value, extraHrefMatchers))) ||
          (tag === "iframe" &&
            name === "src" &&
            allowedIframes.some((i) => {
@@ -107,6 +135,16 @@ export function sanitize(text, allowLister) {
          return attr(name, value);
        }

+        const sanitizedMediaSrc = sanitizeMediaSrc(
+          tag,
+          name,
+          value,
+          extraHrefMatchers
+        );
+        if (sanitizedMediaSrc) {
+          return sanitizedMediaSrc;
+        }
+
        if (tag === "iframe" && name === "src") {
          return "-STRIP-";
        }