Add workaround for new security vulnerability in sanitize 4.x

Description

There is a security advisory for the sanitize gem.

Annoyingly, it is unlikely that we can update the gem easily (refer to and its pull request for more information), so we'll have to use the workaround mentioned.

To test, we’ll probably want to try creating a work with an embed (iframe in particular, so YouTube should be a good test) and our HTML regression test doc, located on the “HTML Tag Regression” page on the internal wiki.

Activity

Show:
Sarken
June 26, 2020, 3:06 AM

Embed from YouTube looks good!

With the HTML Tag Regression doc, the name attribute was removed from the span when the document doesn't suggest that’s expected, but I think the document is wrong: the code only allows name on a tags, and that’s not a recent change.

I also noticed the text for the script tag wasn’t still sticking around as indicated in <script>script tag, this text is still here</script><noscript>noscript</noscript>. This is different from production, but it is the correct behavior now: the workaround for this security issue is to remove any content inside script or noscript tags.

So looks good, basically!

redsummernight
June 27, 2020, 9:38 PM
Edited

Posted a work with this content:

We ended up with (the element inside iframe is escaped):

Looks good.

redsummernight
June 27, 2020, 9:50 PM

Note that we've silenced the sanitize security warning on both GitHub and Hakiri.

https://hakiri.io/projects/1658db175bdc22/stacks/5f10103a53a942/builds/df372ab42fcdd6/false_positives

DeployedToBeta

Assignee

james_

Reporter

Sarken

Roadmap

Misc

Priority

High

Affects versions

Fix versions

Components

BackEnd

Difficulty

Medium

Milestone

Internal 0.9
Configure