Merge pull request #2265 from okriuchykhin/ok_SCI_4146

Restrict files to only images in RTE fields [SCI-4146]
2025-09-12 16:14:58 +08:00 · 2020-01-10 10:34:00 +01:00 · 2020-01-10 10:34:00 +01:00 · d2e12e0683
commit d2e12e0683
parent e371715331 403a3e0140
3 changed files with 15 additions and 7 deletions
--- a/app/assets/javascripts/sitewide/tiny_mce_file_upload_plugin.js
+++ b/app/assets/javascripts/sitewide/tiny_mce_file_upload_plugin.js
@ -158,6 +158,7 @@
          if (ctrl.tagName.toLowerCase() === 'input' && ctrl.type !== 'hidden') {
            if (ctrl.type === 'file') {
              ctrl.name = 'file';
+              ctrl.accept = 'image/*';

              tinymce.DOM.setStyles(ctrl, {
                border: 0,
@ -207,7 +208,7 @@
        }
        if (target.document || target.contentDocument) {
          doc = target.contentDocument || target.contentWindow.document;
-          handleResponse(doc.getElementsByTagName('body')[0].innerHTML);
+          handleResponse((doc.getElementsByTagName('pre')[0] || doc.getElementsByTagName('body')[0]).innerHTML);
        } else {
          handleError(I18n.t('tiny_mce.server_not_respond'));
        }
@ -215,12 +216,12 @@

      function handleResponse(ret) {
        var json;
-        var errorJson;
+        var errorsJson;
        try {
          json = tinymce.util.JSON.parse(ret);

-          if (json.error) {
-            handleError(json.error.message);
+          if (json.errors) {
+            handleError(json.errors.join('<br>'));
          } else {
            editor.execCommand('mceInsertContent', false, buildHTML(json));
            editor.windowManager.close();
@ -228,8 +229,8 @@
          }
        } catch (e) {
          // hack that gets the server error message
-          errorJson = JSON.parse($(ret).text());
-          handleError(errorJson.error[0]);
+          errorsJson = JSON.parse($(ret).text());
+          handleError(errorsJson.join('<br>'));
        }
      }

--- a/app/controllers/tiny_mce_assets_controller.rb
+++ b/app/controllers/tiny_mce_assets_controller.rb
@ -11,6 +11,12 @@ class TinyMceAssetsController < ApplicationController

  def create
    image = params.fetch(:file) { render_404 }
+    unless image.content_type.match?(%r{^image/#{Regexp.union(Constants::WHITELISTED_IMAGE_TYPES)}})
+      return render json: {
+        errors: [I18n.t('tiny_mce.unsupported_image_format')]
+      }, status: :unprocessable_entity
+    end
+
    tiny_img = TinyMceAsset.new(team_id: current_team.id, saved: false)

    tiny_img.transaction do
@ -27,7 +33,7 @@ class TinyMceAssetsController < ApplicationController
      }, content_type: 'text/html'
    else
      render json: {
-        error: tiny_img.errors.full_messages
+        errors: tiny_img.errors.full_messages
      }, status: :unprocessable_entity
    end
  end
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -2085,6 +2085,7 @@ en:
    upload_window_label: 'Choose an image'
    choose_file: 'Choose file'
    no_image_chosen: 'No image chosen'
+    unsupported_image_format: 'Unsupported image format'
    insert_btn: 'Insert'
    error_message: 'You must choose a file'
    server_not_respond: "Didn't get a response from the server"