From 2bbb33d225725a14e01aa99d4125f7bfe6ed6859 Mon Sep 17 00:00:00 2001
From: Oleksii Kriuchykhin <oleksii@scinote.net>
Date: Fri, 29 Sep 2023 10:49:53 +0200
Subject: [PATCH] Reduce allowed data attributes in sanitizer config only to
 data-mce-token [SCI-9369]

---
 config/initializers/constants.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/initializers/constants.rb b/config/initializers/constants.rb
index 622a36add..5f118ec00 100644
--- a/config/initializers/constants.rb
+++ b/config/initializers/constants.rb
@@ -324,7 +324,7 @@ class Constants
   config = Sanitize::Config::RELAXED.deep_dup
   config[:attributes][:all] << 'id'
   config[:attributes][:all] << 'contenteditable'
-  config[:attributes][:all] << :data
+  config[:attributes]['img'] << 'data-mce-token'
   INPUT_SANITIZE_CONFIG = Sanitize::Config.freeze_config(config)
 
   REPOSITORY_DEFAULT_PAGE_SIZE = 10