Skip to content

Commit 841ff19

Browse files
author
Alberto Fernández-Capel
authored
Merge pull request #1147 from basecamp/sanitize-noscript
Sanitize noscript to prevent copy and paste XSS
2 parents 36c7aeb + 5e03f4a commit 841ff19

2 files changed

Lines changed: 16 additions & 1 deletion

File tree

src/test/system/pasting_test.js

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,21 @@ testGroup("Pasting", { template: "editor_empty" }, () => {
8989
delete window.unsanitized
9090
})
9191

92+
test("paste unsafe html with noscript", async () => {
93+
window.unsanitized = []
94+
const pasteData = {
95+
"text/plain": "x",
96+
"text/html": `\
97+
<div><noscript><div class="123</noscript>456<img src=1 onerror=window.unsanitized.push(1)//"></div></noscript></div>
98+
`
99+
}
100+
101+
await pasteContent(pasteData)
102+
await delay(20)
103+
assert.deepEqual(window.unsanitized, [])
104+
delete window.unsanitized
105+
})
106+
92107
test("prefers plain text when html lacks formatting", async () => {
93108
const pasteData = {
94109
"text/html": "<meta charset='utf-8'>a\nb",

src/trix/models/html_sanitizer.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ import { nodeIsAttachmentElement, removeNode, tagName, walkTree } from "trix/cor
44

55
const DEFAULT_ALLOWED_ATTRIBUTES = "style href src width height language class".split(" ")
66
const DEFAULT_FORBIDDEN_PROTOCOLS = "javascript:".split(" ")
7-
const DEFAULT_FORBIDDEN_ELEMENTS = "script iframe form".split(" ")
7+
const DEFAULT_FORBIDDEN_ELEMENTS = "script iframe form noscript".split(" ")
88

99
export default class HTMLSanitizer extends BasicObject {
1010
static sanitize(html, options) {

0 commit comments

Comments
 (0)