mirror of
https://github.com/chatwoot/chatwoot.git
synced 2026-06-04 21:02:35 +08:00
1beaa284c6
# Pull Request Template ## Description This PR adds support for inline image uploads in the reply editor for Email and Website (chat widget) channels. Agents can now insert images inline between text and resize them directly in the editor by dragging the bottom corner, similar to the help center editor experience. Image sizes are preserved through markdown using the `cw_image_width` URL param and render correctly in both outgoing emails and chat widget messages. Agents can also paste copied images directly into Email or Website replies using **Shift+Cmd+V** (Shift+Ctrl+V on Windows/Linux). The image gets inserted inline at the cursor position and supports resizing just like uploaded images. Regular **Cmd+V / Ctrl+V** behavior remains unchanged and continues to add images as attachments, so both inline and attachment flows are supported. ### Prosemirror repo PR: https://github.com/chatwoot/prosemirror-schema/pull/48 Fixes https://linear.app/chatwoot/issue/CW-7133/inline-images-in-live-chat-and-email https://linear.app/chatwoot/issue/CW-7225/ghsa-8j9w-jppp-xcfc-html-attribute-injection-via-unvalidated-cw-image ## Type of change - [x] New feature (non-breaking change which adds functionality) ## How Has This Been Tested? ### Screencast https://github.com/user-attachments/assets/a928f852-ab15-413a-9d35-6ea69b718ecf <img width="414" height="654" alt="image" src="https://github.com/user-attachments/assets/205e0729-8f2d-4cc5-9c55-7696f032eca4" /> ## Checklist: - [x] My code follows the style guidelines of this project - [x] I have performed a self-review of my code - [x] I have commented on my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [x] My changes generate no new warnings - [ ] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published in downstream modules --------- Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com>
59 lines
2.2 KiB
Ruby
59 lines
2.2 KiB
Ruby
require 'rails_helper'
|
|
|
|
describe BaseMarkdownRenderer do
|
|
let(:renderer) { described_class.new }
|
|
|
|
def render_markdown(markdown)
|
|
doc = CommonMarker.render_doc(markdown, :DEFAULT)
|
|
renderer.render(doc)
|
|
end
|
|
|
|
describe '#image' do
|
|
context 'when image has a height' do
|
|
it 'renders the img tag with the correct attributes' do
|
|
markdown = ''
|
|
expect(render_markdown(markdown)).to include('<img src="https://example.com/image.jpg?cw_image_height=100px" style="height: 100px;" />')
|
|
end
|
|
end
|
|
|
|
context 'when image has a width' do
|
|
it 'renders the img tag with the correct attributes' do
|
|
markdown = ''
|
|
expect(render_markdown(markdown)).to include(
|
|
'<img src="https://example.com/image.jpg?cw_image_width=200px" style="width: 200px; max-width: 100%; height: auto;" />'
|
|
)
|
|
end
|
|
end
|
|
|
|
context 'when the sizing param contains an attribute-injection payload' do
|
|
it 'drops the malicious height value' do
|
|
markdown = ')'
|
|
rendered = render_markdown(markdown)
|
|
expect(rendered).not_to include('style=')
|
|
expect(rendered).not_to include('onmouseover="')
|
|
end
|
|
|
|
it 'drops the malicious width value' do
|
|
markdown = ')'
|
|
rendered = render_markdown(markdown)
|
|
expect(rendered).not_to include('style=')
|
|
expect(rendered).not_to include('onmouseover="')
|
|
end
|
|
end
|
|
|
|
context 'when image does not have a height' do
|
|
it 'renders the img tag without the height attribute' do
|
|
markdown = ''
|
|
expect(render_markdown(markdown)).to include('<img src="https://example.com/image.jpg" />')
|
|
end
|
|
end
|
|
|
|
context 'when image has an invalid URL' do
|
|
it 'renders the img tag without crashing' do
|
|
markdown = ''
|
|
expect { render_markdown(markdown) }.not_to raise_error
|
|
end
|
|
end
|
|
end
|
|
end
|