From 80a4d4f5ffb392264cd8cc8feba0ab242cb0b08b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alberto=20Fern=C3=A1ndez-Capel?= <afcapel@gmail.com>
Date: Tue, 14 May 2024 16:05:12 +0100
Subject: [PATCH] Backport fix for CVE-2024-34341 to v1.3

---
 src/trix/models/html_parser.coffee    |  7 ++++++-
 src/trix/models/html_sanitizer.coffee |  2 +-
 test/src/system/pasting_test.coffee   | 24 ++++++++++++++++++++++++
 3 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/src/trix/models/html_parser.coffee b/src/trix/models/html_parser.coffee
index 57b45db1d..793ba55a8 100644
--- a/src/trix/models/html_parser.coffee
+++ b/src/trix/models/html_parser.coffee
@@ -238,7 +238,12 @@ class Trix.HTMLParser extends Trix.BasicObject
 
   parseTrixDataAttribute = (element, name) ->
     try
-     JSON.parse(element.getAttribute("data-trix-#{name}"))
+      data = JSON.parse(element.getAttribute("data-trix-#{name}"))
+
+      if data.contentType == "text/html" and data.content
+        data.content = HTMLSanitizer.sanitize(data.content).getHTML()
+
+      data
     catch
       {}
 
diff --git a/src/trix/models/html_sanitizer.coffee b/src/trix/models/html_sanitizer.coffee
index 87008ebad..d3fabb08e 100644
--- a/src/trix/models/html_sanitizer.coffee
+++ b/src/trix/models/html_sanitizer.coffee
@@ -3,7 +3,7 @@
 class Trix.HTMLSanitizer extends Trix.BasicObject
   DEFAULT_ALLOWED_ATTRIBUTES = "style href src width height class".split(" ")
   DEFAULT_FORBIDDEN_PROTOCOLS = "javascript:".split(" ")
-  DEFAULT_FORBIDDEN_ELEMENTS = "script iframe".split(" ")
+  DEFAULT_FORBIDDEN_ELEMENTS = "script iframe noscript".split(" ")
 
   @sanitize: (html, options) ->
     sanitizer = new this html, options
diff --git a/test/src/system/pasting_test.coffee b/test/src/system/pasting_test.coffee
index b08f5d94a..b42260322 100644
--- a/test/src/system/pasting_test.coffee
+++ b/test/src/system/pasting_test.coffee
@@ -53,6 +53,30 @@ testGroup "Pasting", template: "editor_empty", ->
         delete window.unsanitized
         done()
 
+  test "paste unsafe html with noscript", (done) ->
+    window.unsanitized = []
+    pasteData =
+      "text/plain": "x",
+      "text/html": "<div><noscript><div class=\"123</noscript>456<img src=1 onerror=window.unsanitized.push(1)//\"></div></noscript></div>"
+
+    pasteContent pasteData, () ->
+      after 20, () ->
+        assert.deepEqual(window.unsanitized, [])
+        delete window.unsanitized
+        done()
+
+  test "paste data-trix-attachment unsafe html", (done) ->
+    window.unsanitized = []
+    pasteData =
+      "text/plain": "x",
+      "text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&lt;img src=1 onerror=window.unsanitized.push(1)&gt;HELLO123&quot;}\"></div>me"
+
+    pasteContent pasteData, ->
+      after 20, ->
+        assert.deepEqual window.unsanitized, []
+        delete window.unsanitized
+        done()
+
   test "prefers plain text when html lacks formatting", (expectDocument) ->
     pasteData =
       "text/html": "<meta charset='utf-8'>a\nb"