fix(application_html_formatters): sanitize zalgo text before save

adi-herwana-nus · adi-herwana-nus · commit c8b3b4b0f501 · 2026-03-30T19:32:20.000+08:00
diff --git a/app/helpers/application_html_formatters_helper.rb b/app/helpers/application_html_formatters_helper.rb
@@ -145,6 +145,15 @@ def self.build_html_pipeline(custom_options)
     { node_whitelist: [node] }
   end.freeze
 
+  # Collapses runs of more than 3 Unicode combining marks (Zalgo text) down to 3,
+  # preserving legitimate accents (e.g. "Café", "Niño") while blocking vandalism.
+  ZALGO_TEXT_TRANSFORMER = lambda do |env|
+    node = env[:node]
+    return unless node.text?
+
+    node.content = node.content.gsub(/(\p{M}{3})\p{M}+/, '\1')
+  end.freeze
+
   # - Allow whitelisting of base64 encoded images for HTML text.
   # TODO: Remove 'data' from whitelisted protocols once we disable Base64 encoding
   IMAGE_WHITELIST_TRANSFORMER = lambda do |env|
@@ -179,7 +188,7 @@ def self.build_html_pipeline(custom_options)
       'margin-bottom', 'margin-left', 'margin-right', 'margin-top', 'text-align',
       'width', 'list-style-type'
     ] }
-    list[:transformers] |= [VIDEO_WHITELIST_TRANSFORMER, IMAGE_WHITELIST_TRANSFORMER].freeze
+    list[:transformers] |= [ZALGO_TEXT_TRANSFORMER, VIDEO_WHITELIST_TRANSFORMER, IMAGE_WHITELIST_TRANSFORMER].freeze
     list
   end.freeze
 
diff --git a/app/models/course/assessment/live_feedback/message.rb b/app/models/course/assessment/live_feedback/message.rb
@@ -14,4 +14,10 @@ class Course::Assessment::LiveFeedback::Message < ApplicationRecord
   validates :content, exclusion: { in: [nil] }
   validates :creator_id, presence: true
   validates :created_at, presence: true
+
+  before_save :sanitize_text
+
+  def sanitize_text
+    self.content = ApplicationController.helpers.sanitize_ckeditor_rich_text(content)
+  end
 end
diff --git a/app/models/course/assessment/live_feedback_comment.rb b/app/models/course/assessment/live_feedback_comment.rb
@@ -4,4 +4,10 @@ class Course::Assessment::LiveFeedbackComment < ApplicationRecord
 
   validates :line_number, presence: true
   validates :comment, presence: true
+
+  before_save :sanitize_text
+
+  def sanitize_text
+    self.comment = ApplicationController.helpers.sanitize_ckeditor_rich_text(comment)
+  end
 end
diff --git a/spec/helpers/application_formatters_helper_spec.rb b/spec/helpers/application_formatters_helper_spec.rb
@@ -258,6 +258,58 @@ def hello:
         expect(helper.sanitize('<script/>')).to be_empty
       end
     end
+
+    describe '#sanitize_ckeditor_rich_text' do
+      it 'leaves plain text without combining marks unchanged' do
+        html = '<p>Hello World</p>'
+        expect(helper.sanitize_ckeditor_rich_text(html)).to include('Hello World')
+      end
+
+      it 'preserves single combining marks (normal accented characters)' do
+        html = "<p>Cafe\u0301 and Nin\u0303o</p>"
+        result = helper.sanitize_ckeditor_rich_text(html)
+        expect(result).to include("e\u0301") # é via combining mark
+        expect(result).to include("n\u0303") # ñ via combining mark
+      end
+
+      it 'preserves multiple combining marks (e.g. for Indic scripts)' do
+        html = "<p>Ta\u0302\u0301t ca\u0309 mo\u0323i ngu\u031bo\u031b\u0300i sinh ra \u0111e\u0302\u0300u</p>"
+        result = helper.sanitize_ckeditor_rich_text(html)
+        expect(result).to include("\u0302\u0301") # 2 combining marks on 'a'
+        expect(result).to include("\u0309") # 1 combining mark on 'a'
+        expect(result).to include("\u0323") # 1 combining mark on 'o'
+        expect(result).to include("\u031b\u0300") # 2 combining marks on 'o'
+        expect(result).to include("\u0302\u0300") # 2 combining marks on 'e'
+      end
+
+      it 'preserves text with exactly 3 combining marks' do
+        html = "<p>e\u0300\u0301\u0302</p>"
+        result = helper.sanitize_ckeditor_rich_text(html)
+        expect(result).to match(/\p{M}{3}/)
+        expect(result).not_to match(/\p{M}{4}/)
+      end
+
+      it 'collapses 4 combining marks down to 3' do
+        html = "<p>e\u0300\u0301\u0302\u0303</p>"
+        result = helper.sanitize_ckeditor_rich_text(html)
+        expect(result).not_to match(/\p{M}{4,}/)
+      end
+
+      it 'collapses Zalgo-style text with many combining marks down to 3' do
+        # 10 combining marks on a single base character
+        zalgo = "e#{(0x0300..0x0309).map { |cp| cp.chr(Encoding::UTF_8) }.join}"
+        html = "<p>#{zalgo}</p>"
+        result = helper.sanitize_ckeditor_rich_text(html)
+        expect(result).not_to match(/\p{M}{4,}/)
+      end
+
+      it 'handles multiple Zalgo sequences in the same text node' do
+        combining_run = (0x0300..0x0309).map { |cp| cp.chr(Encoding::UTF_8) }.join
+        html = "<p>a#{combining_run} and b#{combining_run}</p>"
+        result = helper.sanitize_ckeditor_rich_text(html)
+        expect(result).not_to match(/\p{M}{4,}/)
+      end
+    end
   end
 
   describe 'user display helper' do
