Use DOMParser to safely parse html without script execution

slab · Aug 8, 2018 · 16b6a6c · 16b6a6c
1 parent ae22be5
commit 16b6a6c
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 3 deletions.
diff --git a/modules/clipboard.js b/modules/clipboard.js
@@ -84,8 +84,11 @@ class Clipboard extends Module {
     } else if (!html) {
       return new Delta().insert(text || '');
     }
-    const container = this.quill.root.ownerDocument.createElement('div');
-    container.innerHTML = html.replace(/>\r?\n +</g, '><'); // Remove spaces between tags
+    const doc = new DOMParser().parseFromString(
+      html.replace(/>\r?\n +</g, '><'), // Remove spaces between tags
+      'text/html',
+    );
+    const container = doc.body;
     const nodeMatches = new WeakMap();
     const [elementMatchers, textMatchers] = this.prepareMatching(
       container,

diff --git a/test/unit/modules/clipboard.js b/test/unit/modules/clipboard.js
@@ -262,11 +262,20 @@ describe('Clipboard', function() {
       expect(delta).toEqual(expected);
     });
 
+    it('does not execute javascript', function() {
+      window.unsafeFunction = jasmine.createSpy('unsafeFunction');
+      const html =
+        "<img src='/assets/favicon.png' onload='window.unsafeFunction()'/>";
+      this.clipboard.convert({ html });
+      expect(window.unsafeFunction).not.toHaveBeenCalled();
+      delete window.unsafeFunction;
+    });
+
     it('xss', function() {
       const delta = this.clipboard.convert({
         html: '<script>alert(2);</script>',
       });
-      expect(delta).toEqual(new Delta().insert('alert(2);'));
+      expect(delta).toEqual(new Delta().insert(''));
     });
   });
 });