Test attachment content is sanitized

basecamp · May 1, 2024 · 5ea39c2 · 5ea39c2
1 parent 841ff19
commit 5ea39c2
Showing 1 changed file with 18 additions and 3 deletions.
diff --git a/src/test/system/pasting_test.js b/src/test/system/pasting_test.js
@@ -89,13 +89,28 @@ testGroup("Pasting", { template: "editor_empty" }, () => {
     delete window.unsanitized
   })
 
-  test("paste unsafe html with noscript", async () => {
+  test("paste data-trix-attachment unsafe html", async () => {
     window.unsanitized = []
     const pasteData = {
       "text/plain": "x",
       "text/html": `\
-        <div><noscript><div class="123</noscript>456<img src=1 onerror=window.unsanitized.push(1)//"></div></noscript></div>
-      `
+      copy<div data-trix-attachment="{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=window.unsanitized.push(1)&gt;HELLO123&quot;}"></div>me
+      `,
+    }
+
+    await pasteContent(pasteData)
+    await delay(20)
+    assert.deepEqual(window.unsanitized, [])
+    delete window.unsanitized
+  })
+
+  test("paste data-trix-attachment unsafe html", async () => {
+    window.unsanitized = []
+    const pasteData = {
+      "text/plain": "x",
+      "text/html": `\
+      copy<div data-trix-attachment="{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=window.unsanitized.push(1)&gt;HELLO123&quot;}"></div>me
+      `,
     }
 
     await pasteContent(pasteData)