Backport Fix XSS vulnerability on paste

Backport fix from #1156

src/trix/models/html_parser.coffee

@@ -23,8 +23,7 @@ class Trix.HTMLParser extends Trix.BasicObject
   parse: ->
     try
       @createHiddenContainer()
-      html = Trix.HTMLSanitizer.sanitize(@html).getHTML()
-      @containerElement.innerHTML = html
+      Trix.HTMLSanitizer.setHTML @containerElement, @html
       walker = walkTree(@containerElement, usingFilter: nodeFilter)
       @processNode(walker.currentNode) while walker.nextNode()
       @translateBlockElementMarginsToNewlines()
@@ -238,12 +237,7 @@ class Trix.HTMLParser extends Trix.BasicObject
 
   parseTrixDataAttribute = (element, name) ->
     try
-      data = JSON.parse(element.getAttribute("data-trix-#{name}"))
-
-      if data.contentType == "text/html" and data.content
-        data.content = HTMLSanitizer.sanitize(data.content).getHTML()
-
-      data
+      JSON.parse element.getAttribute("data-trix-#{name}")
     catch
       {}
 

src/trix/models/html_sanitizer.coffee

@@ -5,6 +5,12 @@ class Trix.HTMLSanitizer extends Trix.BasicObject
   DEFAULT_FORBIDDEN_PROTOCOLS = "javascript:".split(" ")
   DEFAULT_FORBIDDEN_ELEMENTS = "script iframe noscript".split(" ")
 
+  @setHTML = (element, html) ->
+    sanitizer = new this html
+    sanitizedElement = sanitizer.sanitize()
+    sanitizedHtml = if sanitizedElement.getHTML? then sanitizedElement.getHTML() else sanitizedElement.outerHTML
+    element.innerHTML = sanitizedHtml
+
   @sanitize: (html, options) ->
     sanitizer = new this html, options
     sanitizer.sanitize()

src/trix/views/attachment_view.coffee

@@ -25,7 +25,7 @@ class Trix.AttachmentView extends Trix.ObjectView
       figure.appendChild(innerElement)
 
     if @attachment.hasContent()
-      innerElement.innerHTML = @attachment.getContent()
+      Trix.HTMLSanitizer.setHTML innerElement, @attachment.getContent()
     else
       innerElement.appendChild(node) for node in @createContentNodes()
 
@@ -118,5 +118,5 @@ class Trix.AttachmentView extends Trix.ObjectView
 
 htmlContainsTagName = (html, tagName) ->
   div = makeElement("div")
-  div.innerHTML = html ? ""
+  Trix.HTMLSanitizer.setHTML div, html or ""
   div.querySelector(tagName)

test/src/system/pasting_test.coffee

@@ -69,7 +69,7 @@ testGroup "Pasting", template: "editor_empty", ->
     window.unsanitized = []
     pasteData =
       "text/plain": "x",
-      "text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=window.unsanitized.push(1)&gt;HELLO123&quot;}\"></div>me"
+      "text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/anything&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=window.unsanitized.push(1)&gt;HELLO123&quot;}\"></div>me"
 
     pasteContent pasteData, ->
       after 20, ->

test/src/test_helpers/fixtures/fixtures.coffee

@@ -326,7 +326,7 @@ removeWhitespace = (string) ->
     document: new Trix.Document [new Trix.Block text]
 
   "content attachment": do ->
-    content = """<blockquote class="twitter-tweet" data-cards="hidden"><p>ruby-build 20150413 is out, with definitions for 2.2.2, 2.1.6, and 2.0.0-p645 to address recent security issues: <a href="https://t.co/YEwV6NtRD8">https://t.co/YEwV6NtRD8</a></p>&mdash; Sam Stephenson (@sstephenson) <a href="https://twitter.com/sstephenson/status/587715996783218688">April 13, 2015</a></blockquote>"""
+    content = """<blockquote class="twitter-tweet"><p>ruby-build 20150413 is out, with definitions for 2.2.2, 2.1.6, and 2.0.0-p645 to address recent security issues: <a href="https://t.co/YEwV6NtRD8">https://t.co/YEwV6NtRD8</a></p>&mdash; Sam Stephenson (@sstephenson) <a href="https://twitter.com/sstephenson/status/587715996783218688">April 13, 2015</a></blockquote>"""
     href = "https://twitter.com/sstephenson/status/587715996783218688"
     contentType = "embed/twitter"