From 6b29f7e3c5ae81e6975add4427dcfafde6dc59d3 Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Bellet Date: Fri, 26 May 2023 14:39:28 +0200 Subject: [PATCH] Sanitize content with a new TrixScrubber specifically made for trix editor with its allowed tags --- app/services/trix_scrubber.rb | 13 +++++++++++++ app/views/shopping_shared/tabs/_custom.html.haml | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 app/services/trix_scrubber.rb diff --git a/app/services/trix_scrubber.rb b/app/services/trix_scrubber.rb new file mode 100644 index 0000000000..b8328ffc1c --- /dev/null +++ b/app/services/trix_scrubber.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +class TrixScrubber < Rails::Html::PermitScrubber + ALLOWED_TAGS = ["p", "b", "strong", "em", "i", "a", "u", "br", "del", "h1", "blockquote", "pre", + "ul", "ol", "li"].freeze + ALLOWED_ATTRIBUTES = ["href", "target", "src", "alt"].freeze + + def initialize + super + self.tags = ALLOWED_TAGS + self.attributes = ALLOWED_ATTRIBUTES + end +end diff --git a/app/views/shopping_shared/tabs/_custom.html.haml b/app/views/shopping_shared/tabs/_custom.html.haml index 68b2fec9ba..45aa3ccc3d 100644 --- a/app/views/shopping_shared/tabs/_custom.html.haml +++ b/app/views/shopping_shared/tabs/_custom.html.haml @@ -1,3 +1,3 @@ .content .row - = @distributor.custom_tab.content.html_safe if @distributor.custom_tab&.content.present? + = sanitize(@distributor.custom_tab&.content, scrubber: TrixScrubber.new)