diff --git a/src/trix/models/html_parser.coffee b/src/trix/models/html_parser.coffee index 793ba55a8..ee72d0d9b 100644 --- a/src/trix/models/html_parser.coffee +++ b/src/trix/models/html_parser.coffee @@ -23,8 +23,7 @@ class Trix.HTMLParser extends Trix.BasicObject parse: -> try @createHiddenContainer() - html = Trix.HTMLSanitizer.sanitize(@html).getHTML() - @containerElement.innerHTML = html + Trix.HTMLSanitizer.setHTML @containerElement, @html walker = walkTree(@containerElement, usingFilter: nodeFilter) @processNode(walker.currentNode) while walker.nextNode() @translateBlockElementMarginsToNewlines() @@ -238,12 +237,7 @@ class Trix.HTMLParser extends Trix.BasicObject parseTrixDataAttribute = (element, name) -> try - data = JSON.parse(element.getAttribute("data-trix-#{name}")) - - if data.contentType == "text/html" and data.content - data.content = HTMLSanitizer.sanitize(data.content).getHTML() - - data + JSON.parse element.getAttribute("data-trix-#{name}") catch {} diff --git a/src/trix/models/html_sanitizer.coffee b/src/trix/models/html_sanitizer.coffee index d3fabb08e..6c08fc9c1 100644 --- a/src/trix/models/html_sanitizer.coffee +++ b/src/trix/models/html_sanitizer.coffee @@ -5,6 +5,12 @@ class Trix.HTMLSanitizer extends Trix.BasicObject DEFAULT_FORBIDDEN_PROTOCOLS = "javascript:".split(" ") DEFAULT_FORBIDDEN_ELEMENTS = "script iframe noscript".split(" ") + @setHTML = (element, html) -> + sanitizer = new this html + sanitizedElement = sanitizer.sanitize() + sanitizedHtml = if sanitizedElement.getHTML? then sanitizedElement.getHTML() else sanitizedElement.outerHTML + element.innerHTML = sanitizedHtml + @sanitize: (html, options) -> sanitizer = new this html, options sanitizer.sanitize() diff --git a/src/trix/views/attachment_view.coffee b/src/trix/views/attachment_view.coffee index a9bd5c31f..587c33c3c 100644 --- a/src/trix/views/attachment_view.coffee +++ b/src/trix/views/attachment_view.coffee @@ -25,7 +25,7 @@ class Trix.AttachmentView extends Trix.ObjectView figure.appendChild(innerElement) if @attachment.hasContent() - innerElement.innerHTML = @attachment.getContent() + Trix.HTMLSanitizer.setHTML innerElement, @attachment.getContent() else innerElement.appendChild(node) for node in @createContentNodes() @@ -118,5 +118,5 @@ class Trix.AttachmentView extends Trix.ObjectView htmlContainsTagName = (html, tagName) -> div = makeElement("div") - div.innerHTML = html ? "" + Trix.HTMLSanitizer.setHTML div, html or "" div.querySelector(tagName) diff --git a/test/src/system/pasting_test.coffee b/test/src/system/pasting_test.coffee index b42260322..001938ba4 100644 --- a/test/src/system/pasting_test.coffee +++ b/test/src/system/pasting_test.coffee @@ -69,7 +69,7 @@ testGroup "Pasting", template: "editor_empty", -> window.unsanitized = [] pasteData = "text/plain": "x", - "text/html": "copy
me" + "text/html": "copy
me" pasteContent pasteData, -> after 20, -> diff --git a/test/src/test_helpers/fixtures/fixtures.coffee b/test/src/test_helpers/fixtures/fixtures.coffee index 7e7c63863..e068fb3ba 100644 --- a/test/src/test_helpers/fixtures/fixtures.coffee +++ b/test/src/test_helpers/fixtures/fixtures.coffee @@ -326,7 +326,7 @@ removeWhitespace = (string) -> document: new Trix.Document [new Trix.Block text] "content attachment": do -> - content = """

ruby-build 20150413 is out, with definitions for 2.2.2, 2.1.6, and 2.0.0-p645 to address recent security issues: https://t.co/YEwV6NtRD8

— Sam Stephenson (@sstephenson) April 13, 2015
""" + content = """

ruby-build 20150413 is out, with definitions for 2.2.2, 2.1.6, and 2.0.0-p645 to address recent security issues: https://t.co/YEwV6NtRD8

— Sam Stephenson (@sstephenson) April 13, 2015
""" href = "https://twitter.com/sstephenson/status/587715996783218688" contentType = "embed/twitter"