Add Trix Editor and Sanitize Comment HTML#1544
Draft
google-labs-jules[bot] wants to merge 3 commits intomasterfrom
Draft
Add Trix Editor and Sanitize Comment HTML#1544google-labs-jules[bot] wants to merge 3 commits intomasterfrom
google-labs-jules[bot] wants to merge 3 commits intomasterfrom
Conversation
This commit introduces the Trix rich text editor for comments and implements server-side HTML sanitization to prevent XSS vulnerabilities. Key changes: - Added the `trix` and `loofah` gems. - Integrated Trix assets into the application. - Replaced comment text areas with the Trix editor. - Created a `sanitize_comment` helper to: - Whitelist `<strong>`, `<em>`, `<p>`, `<u>`, and `<a>` tags. - Add `target="_blank"` and `rel="noopener"` to all links. - Strip all other HTML tags and attributes. - Applied the sanitization helper to all comment views.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| link['target'] = '_blank' | ||
| end | ||
|
|
||
| fragment.to_s.html_safe |
Check notice
Code scanning / Rubocop
The use of `html_safe` or `raw` may be a security risk. Note
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change adds the Trix rich text editor for a better user experience when writing comments. It also adds server-side HTML sanitization to ensure that only a safe subset of HTML is allowed, and all links open in a new tab securely. This prevents XSS attacks and improves security.