Use separate implementation of document to render raw elements.

Mati365 · pomek · commit b210e90c6cf8 · 2025-09-02T10:37:16.000+02:00
diff --git a/.changelog/20250829072109_ck_33.md b/.changelog/20250829072109_ck_33.md
@@ -0,0 +1,14 @@
+---
+type: Fix
+scope:
+  - ckeditor5-clipboard
+---
+
+A Cross-Site Scripting (XSS) vulnerability has been discovered in the CKEditor 5 clipboard package (`CVE-2025-58064`). This vulnerability could be triggered by a specific user action, leading to unauthorized JavaScript code execution, if the attacker managed to insert malicious content into the editor, which might happen with a very specific editor configuration.
+
+This vulnerability affects **only** installations where the editor configuration meets one of the following criteria:
+
+- [HTML embed plugin](https://ckeditor.com/docs/ckeditor5/latest/features/html/html-embed.html) is enabled
+- Custom plugin introducing an editable element which implements view [RawElement](https://ckeditor.com/docs/ckeditor5/latest/api/module_engine_view_rawelement-ViewRawElement.html) is enabled
+
+You can read more details in the relevant [security advisory](https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-x9gp-vjh6-3wv6) and [contact us](https://ckeditor.com/contact/) if you have more questions.
diff --git a/packages/ckeditor5-clipboard/src/utils/viewtoplaintext.ts b/packages/ckeditor5-clipboard/src/utils/viewtoplaintext.ts
@@ -54,7 +54,8 @@ export function viewToPlainText(
 
 	// If item is a raw element, the only way to get its content is to render it and read the text directly from DOM.
 	if ( viewItem.is( 'rawElement' ) ) {
-		const tempElement = document.createElement( 'div' );
+		const doc = document.implementation.createHTMLDocument( '' );
+		const tempElement = doc.createElement( 'div' );
 
 		viewItem.render( tempElement, converter );
 
diff --git a/packages/ckeditor5-clipboard/tests/utils/viewtoplaintext.js b/packages/ckeditor5-clipboard/tests/utils/viewtoplaintext.js
@@ -148,4 +148,23 @@ describe( 'viewToPlainText()', () => {
 
 		expect( text ).to.equal( 'Foo\nBar' );
 	} );
+
+	it( 'should not execute img#onerror js handler while conversion a view RawElement', async () => {
+		const writer = new ViewDowncastWriter( viewDocument );
+		const rawElement = writer.createRawElement( 'div', { 'data-foo': 'bar' }, function( domElement ) {
+			domElement.innerHTML = '<img src=x onerror=window.__testOnErrorExecuted=true>';
+		} );
+
+		window.__testOnErrorExecuted = false;
+		viewToPlainText( converter, rawElement );
+
+		await timeout( 50 );
+
+		expect( window.__testOnErrorExecuted ).to.be.false;
+		delete window.__testOnErrorExecuted;
+	} );
 } );
+
+function timeout( ms ) {
+	return new Promise( resolve => setTimeout( resolve, ms ) );
+}
