From 5e03f4a7dd5a53969f6b67e0a4c3765cb0b5220d Mon Sep 17 00:00:00 2001 From: Lewis Buckley Date: Fri, 26 Apr 2024 14:49:26 +0100 Subject: [PATCH] Sanitize noscript to prevent copy and paste XSS --- src/test/system/pasting_test.js | 15 +++++++++++++++ src/trix/models/html_sanitizer.js | 2 +- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/src/test/system/pasting_test.js b/src/test/system/pasting_test.js index 419d2f237..8bcb9f642 100644 --- a/src/test/system/pasting_test.js +++ b/src/test/system/pasting_test.js @@ -89,6 +89,21 @@ testGroup("Pasting", { template: "editor_empty" }, () => { delete window.unsanitized }) + test("paste unsafe html with noscript", async () => { + window.unsanitized = [] + const pasteData = { + "text/plain": "x", + "text/html": `\ +
+ ` + } + + await pasteContent(pasteData) + await delay(20) + assert.deepEqual(window.unsanitized, []) + delete window.unsanitized + }) + test("prefers plain text when html lacks formatting", async () => { const pasteData = { "text/html": "a\nb", diff --git a/src/trix/models/html_sanitizer.js b/src/trix/models/html_sanitizer.js index 0782bd7b9..12893dc30 100644 --- a/src/trix/models/html_sanitizer.js +++ b/src/trix/models/html_sanitizer.js @@ -4,7 +4,7 @@ import { nodeIsAttachmentElement, removeNode, tagName, walkTree } from "trix/cor const DEFAULT_ALLOWED_ATTRIBUTES = "style href src width height language class".split(" ") const DEFAULT_FORBIDDEN_PROTOCOLS = "javascript:".split(" ") -const DEFAULT_FORBIDDEN_ELEMENTS = "script iframe form".split(" ") +const DEFAULT_FORBIDDEN_ELEMENTS = "script iframe form noscript".split(" ") export default class HTMLSanitizer extends BasicObject { static sanitize(html, options) {