Merge pull request #1211 from basecamp/remove-dompurify

Remove dompurify

.blade.yml

@@ -3,7 +3,6 @@ load_paths:
   - test/vendor
   - assets
   - polyfills
-  - vendor
   - src
 
 logical_paths:

assets/trix-core.coffee

@@ -1,3 +1,2 @@
 #= require trix/banner
 #= require trix/index
-#= require vendor

assets/trix.coffee

@@ -1,4 +1,3 @@
 #= require trix/banner
 #= require polyfills
 #= require trix/index
-#= require vendor

bower.json

@@ -23,7 +23,6 @@
     "assets",
     "bin",
     "polyfills",
-    "vendor",
     "src",
     "test",
     "*.md",

dist/trix.css

@@ -1,6 +1,6 @@
 @charset "UTF-8";
 /*
-Trix 1.3.2
+Trix 1.3.4
 Copyright © 2024 Basecamp, LLC
 http://trix-editor.org/*/
 trix-editor {

package.json

@@ -23,12 +23,8 @@
     "url": "https://github.com/basecamp/trix/issues"
   },
   "homepage": "https://trix-editor.org/",
-  "dependencies": {
-    "dompurify": "^3.2.3"
-  },
   "devDependencies": {
     "@babel/core": "^7.17.8",
-    "@babel/preset-env": "^7.26.0",
     "svgo": "^0.6.1"
   }
 }

src/trix/inspector/index.coffee

@@ -4,7 +4,6 @@
 #= require ./control_element
 #= require_tree ./templates
 #= require_tree ./views
-#= require_tree ./vendor
 
 Trix.Inspector =
   views: []

src/trix/models/html_sanitizer.coffee

@@ -3,7 +3,7 @@
 class Trix.HTMLSanitizer extends Trix.BasicObject
   DEFAULT_ALLOWED_ATTRIBUTES = "style href src width height class".split(" ")
   DEFAULT_FORBIDDEN_PROTOCOLS = "javascript:".split(" ")
-  DEFAULT_FORBIDDEN_ELEMENTS = "script iframe noscript".split(" ")
+  DEFAULT_FORBIDDEN_ELEMENTS = "script iframe form noscript embed math".split(" ")
 
   @setHTML = (element, html) ->
     sanitizer = new this html
@@ -25,7 +25,6 @@ class Trix.HTMLSanitizer extends Trix.BasicObject
   sanitize: ->
     @sanitizeElements()
     @normalizeListElementNesting()
-    DOMPurify.sanitize @body, ADD_ATTR: ["language"], RETURN_DOM: true
 
   getHTML: ->
     @body.innerHTML

test/.blade.yml

@@ -3,7 +3,6 @@ load_paths:
   - vendor
   - ../assets
   - ../polyfills
-  - ../vendor
   - ../src
 
 build:

test/src/system/pasting_test.coffee

@@ -81,7 +81,7 @@ testGroup "Pasting", template: "editor_empty", ->
     window.unsanitized = []
     pasteData =
       "text/plain": "x",
-      "text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/html5&quot;,&quot;content&quot;:&quot;&lt;math&gt;&lt;mtext&gt;&lt;table&gt;&lt;mglyph&gt;&lt;style&gt;&lt;img src=x onerror=alert()&gt;&lt;/style&gt;XSS POC&quot;}\"></div>me"
+      "text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/html5&quot;,&quot;content&quot;:&quot;&lt;math&gt;&lt;mtext&gt;&lt;table&gt;&lt;mglyph&gt;&lt;style&gt;&lt;img src=x onerror=window.unsanitized.push(1)&gt;&lt;/style&gt;XSS POC&quot;}\"></div>me"
 
     pasteContent pasteData, ->
       after 20, ->
@@ -93,7 +93,7 @@ testGroup "Pasting", template: "editor_empty", ->
     window.unsanitized = []
     pasteData =
       "text/plain": "x",
-      "text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/html5&quot;,&quot;content&quot;:&quot;&lt;embed src='javascript:alert(1)'&gt;XSS POC&quot;}\"></div>me"
+      "text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/html5&quot;,&quot;content&quot;:&quot;&lt;embed src='window.unsanitized.push(1)'&gt;XSS POC&quot;}\"></div>me"
 
     pasteContent pasteData, ->
       after 20, ->