Skip to content

Commit

Permalink
Merge pull request #1149 from basecamp/paste-html-sanitize
Browse files Browse the repository at this point in the history
Sanitize HTML content in data-trix-* attributes
  • Loading branch information
Alberto Fernández-Capel authored May 1, 2024
2 parents 841ff19 + 14bac18 commit 1a5c68a
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 1 deletion.
15 changes: 15 additions & 0 deletions src/test/system/pasting_test.js
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,21 @@ testGroup("Pasting", { template: "editor_empty" }, () => {
delete window.unsanitized
})

test("paste data-trix-attachment unsafe html", async () => {
window.unsanitized = []
const pasteData = {
"text/plain": "x",
"text/html": `\
copy<div data-trix-attachment="{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=window.unsanitized.push(1)&gt;HELLO123&quot;}"></div>me
`,
}

await pasteContent(pasteData)
await delay(20)
assert.deepEqual(window.unsanitized, [])
delete window.unsanitized
})

test("prefers plain text when html lacks formatting", async () => {
const pasteData = {
"text/html": "<meta charset='utf-8'>a\nb",
Expand Down
8 changes: 7 additions & 1 deletion src/trix/models/html_parser.js
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,13 @@ const blockForAttributes = (attributes = {}, htmlAttributes = {}) => {

const parseTrixDataAttribute = (element, name) => {
try {
return JSON.parse(element.getAttribute(`data-trix-${name}`))
const data = JSON.parse(element.getAttribute(`data-trix-${name}`))

if (data.contentType === "text/html" && data.content) {
data.content = HTMLSanitizer.sanitize(data.content).getHTML()
}

return data
} catch (error) {
return {}
}
Expand Down

0 comments on commit 1a5c68a

Please sign in to comment.