Moderate severityNVD Advisory· Published Jun 4, 2024· Updated Aug 2, 2024
ActionText ContentAttachment can Contain Unsanitized HTML
CVE-2024-32464
Description
Action Text brings rich text content and editing to Rails. Instances of ActionText::Attachable::ContentAttachment included within a rich_text_area tag could potentially contain unsanitized HTML. This vulnerability is fixed in 7.1.3.4 and 7.2.0.beta2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actiontextRubyGems | >= 7.1.0, < 7.1.3.4 | 7.1.3.4 |
actiontextRubyGems | >= 7.2.0.beta1, < 7.2.0.beta2 | 7.2.0.beta2 |
Affected products
1Patches
1e215bf3360e6Sanitize ActionText HTML ContentAttachment in Trix edit view
3 files changed · +20 −1
actiontext/app/helpers/action_text/content_helper.rb+9 −0 modified@@ -16,6 +16,15 @@ def render_action_text_content(content) sanitize_action_text_content(render_action_text_attachments(content)) end + def sanitize_content_attachment(content_attachment) + sanitizer.sanitize( + content_attachment, + tags: sanitizer_allowed_tags, + attributes: sanitizer_allowed_attributes, + scrubber: scrubber, + ) + end + def sanitize_action_text_content(content) sanitizer.sanitize( content.to_html,
actiontext/lib/action_text/content.rb+2 −1 modified@@ -22,7 +22,7 @@ module ActionText # body.to_s # => "<h1>Funny times!</h1>" # body.to_plain_text # => "Funny times!" class Content - include Rendering, Serialization + include Rendering, Serialization, ContentHelper attr_reader :fragment @@ -97,6 +97,7 @@ def append_attachables(attachables) def render_attachments(**options, &block) content = fragment.replace(ActionText::Attachment.tag_name) do |node| + node["content"] = sanitize_content_attachment(node["content"]) block.call(attachment_for_node(node, **options)) end self.class.new(content, canonicalize: false)
actiontext/test/unit/attachment_test.rb+9 −0 modified@@ -79,6 +79,15 @@ class ActionText::AttachmentTest < ActiveSupport::TestCase end end + test "sanitizes HTML content attachment" do + attachment = attachment_from_html('<action-text-attachment content-type="text/html" content="<img src=\".\" onerror=alert>"></action-text-attachment>') + attachable = attachment.attachable + + ActionText::Content.with_renderer MessagesController.renderer do + assert_equal "<img src=\"\\%22.\\%22\">", attachable.to_html.strip + end + end + test "defaults trix partial to model partial" do attachable = Page.create! title: "Homepage" assert_equal "pages/page", attachable.to_trix_content_attachment_partial_path
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-prjp-h48f-jgf6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-32464ghsaADVISORY
- github.com/rails/rails/commit/e215bf3360e6dfe1497c1503a495e384ed6b0995ghsax_refsource_MISCWEB
- github.com/rails/rails/security/advisories/GHSA-prjp-h48f-jgf6ghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-32464.ymlghsaWEB
News mentions
0No linked articles in our index yet.