diff --git a/src/trix/models/html_parser.coffee b/src/trix/models/html_parser.coffee index 57b45db1d..793ba55a8 100644 --- a/src/trix/models/html_parser.coffee +++ b/src/trix/models/html_parser.coffee @@ -238,7 +238,12 @@ class Trix.HTMLParser extends Trix.BasicObject parseTrixDataAttribute = (element, name) -> try - JSON.parse(element.getAttribute("data-trix-#{name}")) + data = JSON.parse(element.getAttribute("data-trix-#{name}")) + + if data.contentType == "text/html" and data.content + data.content = HTMLSanitizer.sanitize(data.content).getHTML() + + data catch {} diff --git a/src/trix/models/html_sanitizer.coffee b/src/trix/models/html_sanitizer.coffee index 87008ebad..d3fabb08e 100644 --- a/src/trix/models/html_sanitizer.coffee +++ b/src/trix/models/html_sanitizer.coffee @@ -3,7 +3,7 @@ class Trix.HTMLSanitizer extends Trix.BasicObject DEFAULT_ALLOWED_ATTRIBUTES = "style href src width height class".split(" ") DEFAULT_FORBIDDEN_PROTOCOLS = "javascript:".split(" ") - DEFAULT_FORBIDDEN_ELEMENTS = "script iframe".split(" ") + DEFAULT_FORBIDDEN_ELEMENTS = "script iframe noscript".split(" ") @sanitize: (html, options) -> sanitizer = new this html, options diff --git a/test/src/system/pasting_test.coffee b/test/src/system/pasting_test.coffee index b08f5d94a..24b045811 100644 --- a/test/src/system/pasting_test.coffee +++ b/test/src/system/pasting_test.coffee @@ -53,6 +53,31 @@ testGroup "Pasting", template: "editor_empty", -> delete window.unsanitized done() + test "paste unsafe html with noscript", (done) -> + window.unsanitized = [] + pasteData = + "text/plain": "x", + "text/html": "
" + + pasteContent pasteData, () -> + after 20, () -> + assert.deepEqual(window.unsanitized, []) + delete window.unsanitized + done() + + test "paste data-trix-attachment unsafe html", (done) -> + console.log "copyme" + window.unsanitized = [] + pasteData = + "text/plain": "x", + "text/html": "copyme" + + pasteContent pasteData, -> + after 20, -> + assert.deepEqual window.unsanitized, [] + delete window.unsanitized + done() + test "prefers plain text when html lacks formatting", (expectDocument) -> pasteData = "text/html": "a\nb"