Merge commit from fork

djmb · web-flow · commit 752260896468 · 2025-05-08T08:11:38.000+01:00
Use SAFE_FOR_XML for pasted content
diff --git a/src/test/system/pasting_test.js b/src/test/system/pasting_test.js
@@ -119,6 +119,21 @@ testGroup("Pasting", { template: "editor_empty" }, () => {
     delete window.unsanitized
   })
 
+  test("paste data-trix-attachment unsafe html div overload", async () => {
+    window.unsanitized = []
+    const pasteData = {
+      "text/plain": "x",
+      "text/html": `\
+      <div data-trix-attachment="{&quot;contentType&quot;:&quot;text/html5&quot;,&quot;content&quot;:&quot;<div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><div><a><svg><desc><svg><image><a><desc><svg><image></image></svg></desc></a></image><style><a data-trix-caca='</style><img src=x onerror=window.unsanitized.push(1)>'></a></style></svg></desc></svg></a>&quot;}"></div>
+      `,
+    }
+
+    await pasteContent(pasteData)
+    await delay(20)
+    assert.deepEqual(window.unsanitized, [])
+    delete window.unsanitized
+  })
+
   test("paste data-trix-attachment encoded mathml", async () => {
     window.unsanitized = []
     const pasteData = {
diff --git a/src/trix/models/composition.js b/src/trix/models/composition.js
@@ -127,7 +127,7 @@ export default class Composition extends BasicObject {
   }
 
   insertHTML(html) {
-    const document = HTMLParser.parse(html).getDocument()
+    const document = HTMLParser.parse(html, { purifyOptions: { SAFE_FOR_XML: true } }).getDocument()
     const selectedRange = this.getSelectedRange()
 
     this.setDocument(this.document.mergeDocumentAtRange(document, selectedRange))
diff --git a/src/trix/models/html_parser.js b/src/trix/models/html_parser.js
@@ -66,10 +66,11 @@ export default class HTMLParser extends BasicObject {
     return parser
   }
 
-  constructor(html, { referenceElement } = {}) {
+  constructor(html, { referenceElement, purifyOptions } = {}) {
     super(...arguments)
     this.html = html
     this.referenceElement = referenceElement
+    this.purifyOptions = purifyOptions
     this.blocks = []
     this.blockElements = []
     this.processedElements = []
@@ -84,7 +85,7 @@ export default class HTMLParser extends BasicObject {
   parse() {
     try {
       this.createHiddenContainer()
-      HTMLSanitizer.setHTML(this.containerElement, this.html)
+      HTMLSanitizer.setHTML(this.containerElement, this.html, { purifyOptions: this.purifyOptions })
       const walker = walkTree(this.containerElement, { usingFilter: nodeFilter })
       while (walker.nextNode()) {
         this.processNode(walker.currentNode)
diff --git a/src/trix/models/html_sanitizer.js b/src/trix/models/html_sanitizer.js
@@ -16,8 +16,8 @@ const DEFAULT_FORBIDDEN_PROTOCOLS = "javascript:".split(" ")
 const DEFAULT_FORBIDDEN_ELEMENTS = "script iframe form noscript".split(" ")
 
 export default class HTMLSanitizer extends BasicObject {
-  static setHTML(element, html) {
-    const sanitizedElement = new this(html).sanitize()
+  static setHTML(element, html, options) {
+    const sanitizedElement = new this(html, options).sanitize()
     const sanitizedHtml = sanitizedElement.getHTML ? sanitizedElement.getHTML() : sanitizedElement.outerHTML
     element.innerHTML = sanitizedHtml
   }
@@ -28,18 +28,20 @@ export default class HTMLSanitizer extends BasicObject {
     return sanitizer
   }
 
-  constructor(html, { allowedAttributes, forbiddenProtocols, forbiddenElements } = {}) {
+  constructor(html, { allowedAttributes, forbiddenProtocols, forbiddenElements, purifyOptions } = {}) {
     super(...arguments)
     this.allowedAttributes = allowedAttributes || DEFAULT_ALLOWED_ATTRIBUTES
     this.forbiddenProtocols = forbiddenProtocols || DEFAULT_FORBIDDEN_PROTOCOLS
     this.forbiddenElements = forbiddenElements || DEFAULT_FORBIDDEN_ELEMENTS
+    this.purifyOptions = purifyOptions || {}
     this.body = createBodyElementForHTML(html)
   }
 
   sanitize() {
     this.sanitizeElements()
     this.normalizeListElementNesting()
-    DOMPurify.setConfig(config.dompurify)
+    const purifyConfig = Object.assign({}, config.dompurify, this.purifyOptions)
+    DOMPurify.setConfig(purifyConfig)
     this.body = DOMPurify.sanitize(this.body)
 
     return this.body

Original file line number	Diff line number	Diff line change
`@@ -127,7 +127,7 @@ export default class Composition extends BasicObject {`
`127`	`127`	`}`
`128`	`128`
`129`	`129`	`insertHTML(html) {`
`130`		`- const document = HTMLParser.parse(html).getDocument()`
	`130`	`+ const document = HTMLParser.parse(html, { purifyOptions: { SAFE_FOR_XML: true } }).getDocument()`
`131`	`131`	`const selectedRange = this.getSelectedRange()`
`132`	`132`
`133`	`133`	`this.setDocument(this.document.mergeDocumentAtRange(document, selectedRange))`