🚨 Trix has a stored XSS vulnerability through its attachment attribute

Impact

The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads.

An attacker could inject malicious code into a data-trix-attachment attribute that, when rendered as HTML and clicked on, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.

Patches

Update Recommendation: Users should upgrade to Trix editor version 2.1.16 or later.

Resources

The XSS vulnerability was reported by HackerOne researcher michaelcheers.

2.1.16

Security

• Attachment href attributes are now validated using DOMPurify.isValidAttribute() before rendering as anchor tags. @flavorjones

Added

• New .editorElements and .editorElement properties have been added to <trix-toolbar> elements for accessing associated <trix-editor> elements. @seanpdoyle #1127
• <trix-editor> elements can now function without an associated <input type="hidden"> element when using ElementInternals. This is configured by setting willCreateInput = false in the before-trix-initialize event and using the [name] attribute for form submissions. @seanpdoyle #1128
• Alt text can now be set on attachment preview images via attachment.setAttributes({ alt: "..." }) in trix-attachment-add event handlers. @seanpdoyle #1198
• Attachment preview URLs can be customized using the new setPreviewURL() and getPreviewURL() methods on ManagedAttachment, accessible from event handlers. @seanpdoyle #1210
• A new trix-before-render event is dispatched before rendering, with a customizable render property for advanced use cases like morph-style rendering integration. @seanpdoyle #1252
• When no associated <input> element is present, HTML content within <trix-editor> tags is now safely sanitized and loaded as the initial editor value. @seanpdoyle #1253

New Contributors

• @flavorjones made their first contribution in #1234
• @MatheusRich made their first contribution in #1162

Full Changelog: v2.1.15...v2.1.16

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 51 commits:

• v2.1.16
• Fix XSS vulnerability in attachment href rendering
• Make "yarn version" commit changes to the ruby gem, too
• Merge pull request #1271 from basecamp/flavorjones/ci-sauce-labs
• ci: stabilize Sauce Labs with SC5 tunnel
• Merge pull request #1270 from basecamp/flavorjones/fix-minitest-errors
• action_text-trix: pin minitest to < 6
• yarn build
• Merge pull request #1269 from basecamp/flavorjones/revert-mousedown-click-change
• Revert "Toolbar Button: Handle `click` instead of `mousedown`"
• Merge pull request #1265 from basecamp/rails-8-1-ci-matrix
• Add `8-1-stable` branch to CI matrix
• Merge pull request #1263 from seanpdoyle/fix-action_text-trix-assets
• Fix stale `app/assets/javascripts/trix.js` file
• Merge pull request #1262 from basecamp/flavorjones/fix-ci
• ci: Make sure continue-on-error is always valid
• ci: Try to fix the apt-install errors
• Merge pull request #1258 from seanpdoyle/rails-engine-test-coverage
• `action_text-trix`: Add test coverage for Engine
• Merge pull request #1210 from seanpdoyle/issue-1154
• Merge pull request #1198 from seanpdoyle/attachment-preview-alt
• Merge pull request #1127 from seanpdoyle/trix-toolbar-editorElement-property
• Merge pull request #1201 from seanpdoyle/toolbar-button-click
• Merge pull request #1260 from basecamp/document-trix-attachment-edit
• Document `trix-attachment-edit` in `README.md`
• Merge pull request #1162 from MatheusRich/patch-1
• Merge branch 'main' into patch-1
• Support setting `img[alt]` on `ManagedAttachment`
• Toolbar Button: Handle `click` instead of `mousedown`
• Customize Attachment Preview URL
• Define `TrixToolbarElement.editorElements` property
• Merge pull request #1253 from basecamp/editor-preload-content
• Merge pull request #1256 from basecamp/action_text-trix
• Build `action_text-trix` assets with existing tools
• Read initial editor value from HTML content
• Merge pull request #1257 from seanpdoyle/package-json-node-version
• Merge pull request #1255 from seanpdoyle/fix-ci
• Update `.node-version` and `engine` property in `package.json`
• Pass CI
• Merge pull request #1128 from seanpdoyle/element-internals
• Merge pull request #1252 from seanpdoyle/editor-render
• Dispatch `trix-before-render` event
• `ElementInternals`: Support without `<input>` element
• Merge pull request #1235 from basecamp/flavorjones/rails-integration-tests
• ci: integration test with Action Text
• ci: improve the pipeline
• Enable "mfa required" for the ruby gem
• Fix the name of the rake task used to release ruby.
• Merge pull request #1234 from basecamp/flavorjones/package-in-ruby-gem
• Update build and release tasks to include the Ruby gem
• Create a ruby gem package

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)