use DOMParse in pasteHTML to protect against dangerous html

[benbro]

fix #981

[benbro]

Only tested with Firefox 48.

[jhchen]

It seems to have not passed the unit test for Chrome+Firefox on all operating systems.

[benbro]

@is it possible that it's something specific to the tests?
Maybe something in initialize?
https://github.com/quilljs/quill/blob/develop/test/helpers/unit.js#L104
Not sure what's the difference because initialize just set the container's html.

Testing with this PR produce the correct delta when using:

quill.pasteHTML('<p class="ql-align-center">Test</p>');

or

<div class="standalone-container">
  <div id="snow-container"><p class="ql-align-center">Test</p></div>
</div>

Assuming that it'll work, do you want to use DOMParser or close the PR?
I think it's different from dangerouslySetInnerHTML in React because Quill use Delta which I think are safe.
Only pasteHTML was unsafe.

I'm not using pasteHTML myself. I created this PR to help with the discussion.

[jhchen]

If DOMParser works without issue it would be a good idea to use it. I do not want to rename back to pasteHTML though. I want to set the expectation that the HTML you hand Quill should already be safe, and while Quill should do things safely itself, it is not the security solution to unsafe input.

[benbro]

Do you have a suggestion about the failing tests?

[jhchen]

It looks like the reason is getComputedStyle cannot be used. Quill uses this to figure out where to place newlines and sometimes when applications paste HTML that contain classes and <style> tags.

[benbro]

I see. This example gives me:
'inline' in Firefox 49 on Windows 7
empty string in Chrome 53 on Windows 7
'block' in IE11 on Windows 7
http://codepen.io/anon/pen/EgWRrV

[jhchen]

In light of this I'm not seeing a way to use DOMParser.

[benbro]

Thanks