Bug fix for issue #724; XSS issue when importing through getHTML() function; remove usage of innerHTML and pre-parse the string using native JS DOMParser

2025-01-21 00:13:58 +08:00 · 2020-07-01 13:56:18 -07:00 · 2020-07-01 13:56:18 -07:00 · 4954f8297c
commit 4954f8297c
parent 92eb2c61cc
1 changed files with 44 additions and 31 deletions
--- a/packages/tiptap/src/Editor.js
+++ b/packages/tiptap/src/Editor.js
@ -52,13 +52,20 @@ export default class Editor extends Emitter {
      dropCursor: {},
      parseOptions: {},
      injectCSS: true,
-      onInit: () => {},
-      onTransaction: () => {},
-      onUpdate: () => {},
-      onFocus: () => {},
-      onBlur: () => {},
-      onPaste: () => {},
-      onDrop: () => {},
+      onInit: () => {
+      },
+      onTransaction: () => {
+      },
+      onUpdate: () => {
+      },
+      onFocus: () => {
+      },
+      onBlur: () => {
+      },
+      onPaste: () => {
+      },
+      onDrop: () => {
+      },
    }

    this.events = [
@ -103,7 +110,8 @@ export default class Editor extends Emitter {
    }

    this.events.forEach(name => {
-      this.on(name, this.options[camelCase(`on ${name}`)] || (() => {}))
+      this.on(name, this.options[camelCase(`on ${name}`)] || (() => {
+      }))
    })

    this.emit('init', {
@ -272,8 +280,9 @@ export default class Editor extends Emitter {
    }

    if (typeof content === 'string') {
-      const element = document.createElement('div')
-      element.innerHTML = content.trim()
+      const htmlString = `<div>${content}</div>`;
+      const parser = new window.DOMParser;
+      const element = parser.parseFromString(htmlString, "text/html").body.firstChild;

      return DOMParser.fromSchema(this.schema).parse(element, parseOptions)
    }
@ -284,8 +293,12 @@ export default class Editor extends Emitter {
  createView() {
    return new EditorView(this.element, {
      state: this.createState(),
-      handlePaste: (...args) => { this.emit('paste', ...args) },
-      handleDrop: (...args) => { this.emit('drop', ...args) },
+      handlePaste: (...args) => {
+        this.emit('paste', ...args)
+      },
+      handleDrop: (...args) => {
+        this.emit('drop', ...args)
+      },
      dispatchTransaction: this.dispatchTransaction.bind(this),
    })
  }