From ccf7b20e0ea54e83f8d29dc8e129f57eea0207ec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alberto=20Fern=C3=A1ndez-Capel?= <afcapel@gmail.com>
Date: Tue, 28 May 2024 14:39:30 +0100
Subject: [PATCH] Sanitize any attachment whose content type starts with
 text/html

---
 src/test/system/pasting_test.js | 2 +-
 src/trix/models/html_parser.js  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/test/system/pasting_test.js b/src/test/system/pasting_test.js
index fa9891c6d..492ac0927 100644
--- a/src/test/system/pasting_test.js
+++ b/src/test/system/pasting_test.js
@@ -109,7 +109,7 @@ testGroup("Pasting", { template: "editor_empty" }, () => {
     const pasteData = {
       "text/plain": "x",
       "text/html": `\
-      copy<div data-trix-attachment="{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=window.unsanitized.push(1)&gt;HELLO123&quot;}"></div>me
+      copy<div data-trix-attachment="{&quot;contentType&quot;:&quot;text/anything&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=window.unsanitized.push(1)&gt;HELLO123&quot;}"></div>me
       `,
     }
 
diff --git a/src/trix/models/html_parser.js b/src/trix/models/html_parser.js
index de3d3a7dc..306ca3edf 100644
--- a/src/trix/models/html_parser.js
+++ b/src/trix/models/html_parser.js
@@ -42,7 +42,7 @@ const parseTrixDataAttribute = (element, name) => {
   try {
     const data = JSON.parse(element.getAttribute(`data-trix-${name}`))
 
-    if (data.contentType === "text/html" && data.content) {
+    if (data.content) {
       data.content = HTMLSanitizer.sanitize(data.content).getHTML()
     }