From 2fe0cfe3f76f93de7cc8568573274fa682f09249 Mon Sep 17 00:00:00 2001
From: texpert <branzeanu.aurel@gmail.com>
Date: Thu, 22 Aug 2024 19:50:28 +0300
Subject: [PATCH 1/2] Fix TermTaxonomy attributes sanitizing to not remove
 translation tags

---
 CHANGELOG.md                             |  2 ++
 app/models/camaleon_cms/term_taxonomy.rb | 15 +++++++++++++--
 spec/shared_specs/sanitize_attrs.rb      | 13 ++++++-------
 3 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c680c6fc..383153b3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,8 @@
 
 ## Unreleased
 
+- Fix `TermTaxonomy` attributes sanitizing to not remove translation tags
+
 ## [2.8.1](https://github.com/owen2345/camaleon-cms/tree/2.8.1) (2024-08-21)
 
 **This release is fixing several security vulnerabilities! Please, upgrade ASAP!**
diff --git a/app/models/camaleon_cms/term_taxonomy.rb b/app/models/camaleon_cms/term_taxonomy.rb
index 24286694..86a979ad 100644
--- a/app/models/camaleon_cms/term_taxonomy.rb
+++ b/app/models/camaleon_cms/term_taxonomy.rb
@@ -3,6 +3,12 @@ class TermTaxonomy < CamaleonRecord
     include CamaleonCms::Metas
     include CamaleonCms::CustomFieldsRead
 
+    TRANSLATION_TAG_HIDE_MAP = { '<!--' => '!--', '-->' => '--!' }.freeze
+    TRANSLATION_TAG_HIDE_REGEX = Regexp.new(TRANSLATION_TAG_HIDE_MAP.keys.map { |x| Regexp.escape(x) }.join('|')).freeze
+    TRANSLATION_TAG_RESTORE_MAP = { '--!' => '-->', '!--' => '<!--' }.freeze
+    TRANSLATION_TAG_RESTORE_REGEX =
+      Regexp.new(TRANSLATION_TAG_RESTORE_MAP.keys.map { |x| Regexp.escape(x) }.join('|')).freeze
+
     def self.inherited(subclass)
       super
 
@@ -22,11 +28,16 @@ def self.inherited(subclass)
         %i[name description].each do |attr|
           next unless new_record? || attribute_changed?(attr)
 
-          self[attr] = ActionController::Base.helpers.sanitize(__send__(attr))
+          self[attr] = ActionController::Base.helpers.sanitize(
+            __send__(attr).gsub(TRANSLATION_TAG_HIDE_REGEX, TRANSLATION_TAG_HIDE_MAP)
+          ).gsub(TRANSLATION_TAG_RESTORE_REGEX, TRANSLATION_TAG_RESTORE_MAP)
         end
       end
     else
-      normalizes :name, :description, with: ->(field) { ActionController::Base.helpers.sanitize(field) }
+      normalizes :name, :description, with: lambda { |field|
+        ActionController::Base.helpers.sanitize(field.gsub(TRANSLATION_TAG_HIDE_REGEX, TRANSLATION_TAG_HIDE_MAP))
+                              .gsub(TRANSLATION_TAG_RESTORE_REGEX, TRANSLATION_TAG_RESTORE_MAP)
+      }
     end
 
     # callbacks
diff --git a/spec/shared_specs/sanitize_attrs.rb b/spec/shared_specs/sanitize_attrs.rb
index 0bf34027..f450aabe 100644
--- a/spec/shared_specs/sanitize_attrs.rb
+++ b/spec/shared_specs/sanitize_attrs.rb
@@ -2,22 +2,21 @@
 
 RSpec.shared_examples 'sanitize attrs' do |model:, attrs_to_sanitize:|
   attrs_to_sanitize.each do |attr|
-    it 'sanitizes name attribute on create' do
-      attrs_for_creation = { attr => '"><script>alert(1)</script>' }
+    it 'sanitizes attributes on create, not touching translation tags' do
+      attrs_for_creation = { attr => '<!--:en-->"><script>alert(1)</script>' }
       attrs_for_creation.merge!(site: @site) if defined?(@site)
       model_instance = model.create(attrs_for_creation)
 
-      expect(model_instance.__send__(attr)).to eql('"&gt;alert(1)')
+      expect(model_instance.__send__(attr)).to eql('<!--:en-->"&gt;alert(1)')
     end
 
-    it 'sanitizes name attribute on update' do
+    it 'sanitizes attributes on update, not touching translation tags' do
       attrs_for_creation = { attr => 'Legit text' }
       attrs_for_creation.merge!(site: @site) if defined?(@site)
       model_instance = model.create(attrs_for_creation)
-      # attrs_for_creation = { attr => '"><script>alert(1)</script>' }
-      model_instance.update(attr => '"><script>alert(1)</script>')
+      model_instance.update(attr => '<!--:en-->"><script>alert(1)</script>')
 
-      expect(model_instance.__send__(attr)).to eql('"&gt;alert(1)')
+      expect(model_instance.__send__(attr)).to eql('<!--:en-->"&gt;alert(1)')
     end
   end
 end

From 327b487a4a3a799dcb5e37ddc89aecd4b887c288 Mon Sep 17 00:00:00 2001
From: texpert <branzeanu.aurel@gmail.com>
Date: Thu, 22 Aug 2024 20:45:04 +0300
Subject: [PATCH 2/2] Don't sanitize nil values in Rails < 7.1 (normalizes
 method in Rails >= 7.1 is ignoring nils by default)

---
 app/models/camaleon_cms/term_taxonomy.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/models/camaleon_cms/term_taxonomy.rb b/app/models/camaleon_cms/term_taxonomy.rb
index 86a979ad..abe88f86 100644
--- a/app/models/camaleon_cms/term_taxonomy.rb
+++ b/app/models/camaleon_cms/term_taxonomy.rb
@@ -29,8 +29,8 @@ def self.inherited(subclass)
           next unless new_record? || attribute_changed?(attr)
 
           self[attr] = ActionController::Base.helpers.sanitize(
-            __send__(attr).gsub(TRANSLATION_TAG_HIDE_REGEX, TRANSLATION_TAG_HIDE_MAP)
-          ).gsub(TRANSLATION_TAG_RESTORE_REGEX, TRANSLATION_TAG_RESTORE_MAP)
+            __send__(attr)&.gsub(TRANSLATION_TAG_HIDE_REGEX, TRANSLATION_TAG_HIDE_MAP)
+          )&.gsub(TRANSLATION_TAG_RESTORE_REGEX, TRANSLATION_TAG_RESTORE_MAP)
         end
       end
     else