Skip to content

Commit

Permalink
Merge pull request #1147 from basecamp/sanitize-noscript
Browse files Browse the repository at this point in the history
Sanitize noscript to prevent copy and paste XSS
  • Loading branch information
Alberto Fernández-Capel authored Apr 26, 2024
2 parents 36c7aeb + 5e03f4a commit 841ff19
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 1 deletion.
15 changes: 15 additions & 0 deletions src/test/system/pasting_test.js
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,21 @@ testGroup("Pasting", { template: "editor_empty" }, () => {
delete window.unsanitized
})

test("paste unsafe html with noscript", async () => {
window.unsanitized = []
const pasteData = {
"text/plain": "x",
"text/html": `\
<div><noscript><div class="123</noscript>456<img src=1 onerror=window.unsanitized.push(1)//"></div></noscript></div>
`
}

await pasteContent(pasteData)
await delay(20)
assert.deepEqual(window.unsanitized, [])
delete window.unsanitized
})

test("prefers plain text when html lacks formatting", async () => {
const pasteData = {
"text/html": "<meta charset='utf-8'>a\nb",
Expand Down
2 changes: 1 addition & 1 deletion src/trix/models/html_sanitizer.js
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import { nodeIsAttachmentElement, removeNode, tagName, walkTree } from "trix/cor

const DEFAULT_ALLOWED_ATTRIBUTES = "style href src width height language class".split(" ")
const DEFAULT_FORBIDDEN_PROTOCOLS = "javascript:".split(" ")
const DEFAULT_FORBIDDEN_ELEMENTS = "script iframe form".split(" ")
const DEFAULT_FORBIDDEN_ELEMENTS = "script iframe form noscript".split(" ")

export default class HTMLSanitizer extends BasicObject {
static sanitize(html, options) {
Expand Down

0 comments on commit 841ff19

Please # to comment.