Skip to content

ANW-2609 Don't allow dangerous html tags in mixed content#3916

Merged
thimios merged 1 commit intomasterfrom
ANW-2609-mixed-content-xss
Feb 4, 2026
Merged

ANW-2609 Don't allow dangerous html tags in mixed content#3916
thimios merged 1 commit intomasterfrom
ANW-2609-mixed-content-xss

Conversation

@brianzelip
Copy link
Copy Markdown
Collaborator

@brianzelip brianzelip commented Feb 4, 2026
edited by atlassian bot
Loading

ANW-2609

This PR fixes a security issue where dangerous html tags like <script>, <iframe>, etc., could be inserted into mixed content fields on the staff application.

Assuming AppConfig[:allow_mixed_content_title_fields] is set to true, when you add something like <script>alert('XSS')</script> to a title field, when you save the form, the form invalidation flow kicks in, and the app alerts you that such tags are not allowed.

Screenshot

ANW-2609-solution

@brianzelip brianzelip force-pushed the ANW-2609-mixed-content-xss branch from 9dabbc5 to 377d70b Compare February 4, 2026 14:25
@brianzelip brianzelip requested a review from thimios February 4, 2026 14:26
@coveralls
Copy link
Copy Markdown

coveralls commented Feb 4, 2026
edited
Loading

Pull Request Test Coverage Report for Build 21682256042

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • 1028 unchanged lines in 107 files lost coverage.
  • Overall coverage decreased (-0.008%) to 79.277%
Files with Coverage Reduction New Missed Lines %
backend/app/converters/subject_converter.rb 1 60.61%
backend/app/lib/bulk_import/subject_handler.rb 1 80.26%
backend/app/lib/user_mailer.rb 1 72.73%
backend/app/controllers/container.rb 1 52.38%
backend/app/model/repository.rb 1 89.74%
frontend/app/models/user.rb 1 64.0%
backend/app/converters/digital_object_converter.rb 1 81.44%
backend/app/controllers/custom_report_template.rb 1 70.59%
backend/app/lib/longpolling.rb 1 91.67%
backend/app/exporters/serializers/marc_auth.rb 1 83.29%
Totals Coverage Status
Change from base Build 15878865621: -0.008%
Covered Lines: 28160
Relevant Lines: 35521
💛 - Coveralls

@brianzelip brianzelip force-pushed the ANW-2609-mixed-content-xss branch from 377d70b to a6073b4 Compare February 4, 2026 17:50
brianzelip
brianzelip commented Feb 4, 2026
View reviewed changes
Comment thread public/app/models/archival_object.rb
'@id' => AppConfig[:public_proxy_url] + uri,
'@type' => level_for_md_mapping,
'name' => display_string,
'name' => strip_mixed_content(display_string),
Copy link
Copy Markdown
Collaborator Author

@brianzelip brianzelip Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@thimios these two public model changes fix the partial JSON snippet at the top of the page showing even if <script> tags are allowed, ie:

Image

@thimios thimios merged commit 2bf6cb0 into master Feb 4, 2026
53 of 57 checks passed
@thimios thimios deleted the ANW-2609-mixed-content-xss branch February 4, 2026 19:41
@cdibella cdibella added this to the 4.2.0 milestone Mar 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thimios thimios thimios approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

4.2.0

Development

Successfully merging this pull request may close these issues.

4 participants

@brianzelip @coveralls @thimios @cdibella