basecamp · djmb · Dec 9, 2024 · Dec 9, 2024 · Dec 9, 2024
diff --git a/.blade.yml b/.blade.yml
@@ -3,6 +3,7 @@ load_paths:
   - test/vendor
   - assets
   - polyfills
+  - vendor
   - src
 
 logical_paths:

diff --git a/assets/trix-core.coffee b/assets/trix-core.coffee
@@ -1,2 +1,3 @@
 #= require trix/banner
 #= require trix/index
+#= require vendor
diff --git a/assets/trix.coffee b/assets/trix.coffee
@@ -1,3 +1,4 @@
 #= require trix/banner
 #= require polyfills
 #= require trix/index
+#= require vendor
diff --git a/bower.json b/bower.json
@@ -23,6 +23,7 @@
     "assets",
     "bin",
     "polyfills",
+    "vendor",
     "src",
     "test",
     "*.md",

diff --git a/dist/trix-core.js b/dist/trix-core.js
diff --git a/dist/trix.js b/dist/trix.js
diff --git a/package.json b/package.json
@@ -23,7 +23,11 @@
     "url": "https://github.com/basecamp/trix/issues"
   },
   "homepage": "https://trix-editor.org/",
+  "dependencies": {
+    "dompurify": "^3.2.0"
+  },
   "devDependencies": {
+    "@babel/preset-env": "^7.26.0",
     "svgo": "^0.6.1"
   }
 }
diff --git a/src/trix/inspector/index.coffee b/src/trix/inspector/index.coffee
@@ -4,6 +4,7 @@
 #= require ./control_element
 #= require_tree ./templates
 #= require_tree ./views
+#= require_tree ./vendor
 
 Trix.Inspector =
   views: []

diff --git a/src/trix/models/html_parser.coffee b/src/trix/models/html_parser.coffee
@@ -23,8 +23,7 @@ class Trix.HTMLParser extends Trix.BasicObject
   parse: ->
     try
       @createHiddenContainer()
-      html = Trix.HTMLSanitizer.sanitize(@html).getHTML()
-      @containerElement.innerHTML = html
+      Trix.HTMLSanitizer.setHTML @containerElement, @html
       walker = walkTree(@containerElement, usingFilter: nodeFilter)
       @processNode(walker.currentNode) while walker.nextNode()
       @translateBlockElementMarginsToNewlines()
@@ -238,12 +237,7 @@ class Trix.HTMLParser extends Trix.BasicObject
 
   parseTrixDataAttribute = (element, name) ->
     try
-      data = JSON.parse(element.getAttribute("data-trix-#{name}"))
-
-      if data.contentType == "text/html" and data.content
-        data.content = HTMLSanitizer.sanitize(data.content).getHTML()
-
-      data
+      JSON.parse element.getAttribute("data-trix-#{name}")
     catch
       {}
 

diff --git a/src/trix/models/html_sanitizer.coffee b/src/trix/models/html_sanitizer.coffee
@@ -5,6 +5,12 @@ class Trix.HTMLSanitizer extends Trix.BasicObject
   DEFAULT_FORBIDDEN_PROTOCOLS = "javascript:".split(" ")
   DEFAULT_FORBIDDEN_ELEMENTS = "script iframe noscript".split(" ")
 
+  @setHTML = (element, html) ->
+    sanitizer = new this html
+    sanitizedElement = sanitizer.sanitize()
+    sanitizedHtml = if sanitizedElement.getHTML? then sanitizedElement.getHTML() else sanitizedElement.outerHTML
+    element.innerHTML = sanitizedHtml
+
   @sanitize: (html, options) ->
     sanitizer = new this html, options
     sanitizer.sanitize()
@@ -19,6 +25,7 @@ class Trix.HTMLSanitizer extends Trix.BasicObject
   sanitize: ->
     @sanitizeElements()
     @normalizeListElementNesting()
+    DOMPurify.sanitize @body, ADD_ATTR: ["language"], RETURN_DOM: true
 
   getHTML: ->
     @body.innerHTML

diff --git a/src/trix/views/attachment_view.coffee b/src/trix/views/attachment_view.coffee
@@ -25,7 +25,7 @@ class Trix.AttachmentView extends Trix.ObjectView
       figure.appendChild(innerElement)
 
     if @attachment.hasContent()
-      innerElement.innerHTML = @attachment.getContent()
+      Trix.HTMLSanitizer.setHTML innerElement, @attachment.getContent()
     else
       innerElement.appendChild(node) for node in @createContentNodes()
 
@@ -118,5 +118,5 @@ class Trix.AttachmentView extends Trix.ObjectView
 
 htmlContainsTagName = (html, tagName) ->
   div = makeElement("div")
-  div.innerHTML = html ? ""
+  Trix.HTMLSanitizer.setHTML div, html or ""
   div.querySelector(tagName)
diff --git a/test/.blade.yml b/test/.blade.yml
@@ -3,6 +3,7 @@ load_paths:
   - vendor
   - ../assets
   - ../polyfills
+  - ../vendor
   - ../src
 
 build:

diff --git a/test/src/system/pasting_test.coffee b/test/src/system/pasting_test.coffee
@@ -69,7 +69,31 @@ testGroup "Pasting", template: "editor_empty", ->
     window.unsanitized = []
     pasteData =
       "text/plain": "x",
-      "text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=window.unsanitized.push(1)&gt;HELLO123&quot;}\"></div>me"
+      "text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/anything&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=window.unsanitized.push(1)&gt;HELLO123&quot;}\"></div>me"
+
+    pasteContent pasteData, ->
+      after 20, ->
+        assert.deepEqual window.unsanitized, []
+        delete window.unsanitized
+        done()
+
+  test "paste data-trix-attachment encoded mathml", (done) ->
+    window.unsanitized = []
+    pasteData =
+      "text/plain": "x",
+      "text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/html5&quot;,&quot;content&quot;:&quot;&lt;math&gt;&lt;mtext&gt;&lt;table&gt;&lt;mglyph&gt;&lt;style&gt;&lt;img src=x onerror=alert()&gt;&lt;/style&gt;XSS POC&quot;}\"></div>me"
+
+    pasteContent pasteData, ->
+      after 20, ->
+        assert.deepEqual window.unsanitized, []
+        delete window.unsanitized
+        done()
+
+  test "paste data-trix-attachment encoded embed", (done) ->
+    window.unsanitized = []
+    pasteData =
+      "text/plain": "x",
+      "text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/html5&quot;,&quot;content&quot;:&quot;&lt;embed src='javascript:alert(1)'&gt;XSS POC&quot;}\"></div>me"
 
     pasteContent pasteData, ->
       after 20, ->

diff --git a/test/src/test_helpers/fixtures/fixtures.coffee b/test/src/test_helpers/fixtures/fixtures.coffee
@@ -326,7 +326,7 @@ removeWhitespace = (string) ->
     document: new Trix.Document [new Trix.Block text]
 
   "content attachment": do ->
-    content = """<blockquote class="twitter-tweet" data-cards="hidden"><p>ruby-build 20150413 is out, with definitions for 2.2.2, 2.1.6, and 2.0.0-p645 to address recent security issues: <a href="https://t.co/YEwV6NtRD8">https://t.co/YEwV6NtRD8</a></p>&mdash; Sam Stephenson (@sstephenson) <a href="https://twitter.com/sstephenson/status/587715996783218688">April 13, 2015</a></blockquote>"""
+    content = """<blockquote class="twitter-tweet"><p>ruby-build 20150413 is out, with definitions for 2.2.2, 2.1.6, and 2.0.0-p645 to address recent security issues: <a href="https://t.co/YEwV6NtRD8">https://t.co/YEwV6NtRD8</a></p>&mdash; Sam Stephenson (@sstephenson) <a href="https://twitter.com/sstephenson/status/587715996783218688">April 13, 2015</a></blockquote>"""
     href = "https://twitter.com/sstephenson/status/587715996783218688"
     contentType = "embed/twitter"
 

diff --git a/vendor/dompurify-banner/index.coffee.erb b/vendor/dompurify-banner/index.coffee.erb
@@ -0,0 +1,3 @@
+###
+<%= depend_on_asset("dompurify-banner.txt").to_s.chomp %>
+###
diff --git a/vendor/dompurify-banner/index.txt.erb b/vendor/dompurify-banner/index.txt.erb
@@ -0,0 +1,4 @@
+DOMPurify 3.2.1
+Copyright © Cure53 and other contributors
+Released under the Apache license 2.0 and Mozilla Public License 2.0
+github.com/cure53/DOMPurify/blob/3.2.1/LICENSE
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,6 +3,7 @@ load_paths: @@
       - test/vendor
       - assets
       - polyfills
+      - vendor
       - src
     logical_paths:
@@ Expand Down @@