Fix TermTaxonomy attributes sanitizing to not remove translation tags

CHANGELOG.md

@@ -2,6 +2,8 @@
 
 ## Unreleased
 
+- Fix `TermTaxonomy` attributes sanitizing to not remove translation tags
+
 ## [2.8.1](https://github.com/owen2345/camaleon-cms/tree/2.8.1) (2024-08-21)
 
 **This release is fixing several security vulnerabilities! Please, upgrade ASAP!**

app/models/camaleon_cms/term_taxonomy.rb

@@ -3,6 +3,12 @@ class TermTaxonomy < CamaleonRecord
     include CamaleonCms::Metas
     include CamaleonCms::CustomFieldsRead
 
+    TRANSLATION_TAG_HIDE_MAP = { '<!--' => '!--', '-->' => '--!' }.freeze
+    TRANSLATION_TAG_HIDE_REGEX = Regexp.new(TRANSLATION_TAG_HIDE_MAP.keys.map { |x| Regexp.escape(x) }.join('|')).freeze
+    TRANSLATION_TAG_RESTORE_MAP = { '--!' => '-->', '!--' => '<!--' }.freeze
+    TRANSLATION_TAG_RESTORE_REGEX =
+      Regexp.new(TRANSLATION_TAG_RESTORE_MAP.keys.map { |x| Regexp.escape(x) }.join('|')).freeze
+
     def self.inherited(subclass)
       super
 
@@ -22,11 +28,16 @@ def self.inherited(subclass)
         %i[name description].each do |attr|
           next unless new_record? || attribute_changed?(attr)
 
-          self[attr] = ActionController::Base.helpers.sanitize(__send__(attr))
+          self[attr] = ActionController::Base.helpers.sanitize(
+            __send__(attr).gsub(TRANSLATION_TAG_HIDE_REGEX, TRANSLATION_TAG_HIDE_MAP)
+          ).gsub(TRANSLATION_TAG_RESTORE_REGEX, TRANSLATION_TAG_RESTORE_MAP)
         end
       end
     else
-      normalizes :name, :description, with: ->(field) { ActionController::Base.helpers.sanitize(field) }
+      normalizes :name, :description, with: lambda { |field|
+        ActionController::Base.helpers.sanitize(field.gsub(TRANSLATION_TAG_HIDE_REGEX, TRANSLATION_TAG_HIDE_MAP))
+                              .gsub(TRANSLATION_TAG_RESTORE_REGEX, TRANSLATION_TAG_RESTORE_MAP)
+      }
     end
 
     # callbacks

spec/shared_specs/sanitize_attrs.rb

@@ -2,22 +2,21 @@
 
 RSpec.shared_examples 'sanitize attrs' do |model:, attrs_to_sanitize:|
   attrs_to_sanitize.each do |attr|
-    it 'sanitizes name attribute on create' do
-      attrs_for_creation = { attr => '"><script>alert(1)</script>' }
+    it 'sanitizes attributes on create, not touching translation tags' do
+      attrs_for_creation = { attr => '<!--:en-->"><script>alert(1)</script>' }
       attrs_for_creation.merge!(site: @site) if defined?(@site)
       model_instance = model.create(attrs_for_creation)
 
-      expect(model_instance.__send__(attr)).to eql('"&gt;alert(1)')
+      expect(model_instance.__send__(attr)).to eql('<!--:en-->"&gt;alert(1)')
     end
 
-    it 'sanitizes name attribute on update' do
+    it 'sanitizes attributes on update, not touching translation tags' do
       attrs_for_creation = { attr => 'Legit text' }
       attrs_for_creation.merge!(site: @site) if defined?(@site)
       model_instance = model.create(attrs_for_creation)
-      # attrs_for_creation = { attr => '"><script>alert(1)</script>' }
-      model_instance.update(attr => '"><script>alert(1)</script>')
+      model_instance.update(attr => '<!--:en-->"><script>alert(1)</script>')
 
-      expect(model_instance.__send__(attr)).to eql('"&gt;alert(1)')
+      expect(model_instance.__send__(attr)).to eql('<!--:en-->"&gt;alert(1)')
     end
   end
 end