Merge pull request #10275 from ckeditor/ck/10213

Fix (html-support): Filtered out all pasted HTML comments. Closes #10213.
ckeditor · Aug 2, 2021 · 59e2327 · 59e2327
2 parents 9fa1052 + 02308e5
commit 59e2327
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 1 deletion.
diff --git a/packages/ckeditor5-clipboard/src/utils/normalizeclipboarddata.js b/packages/ckeditor5-clipboard/src/utils/normalizeclipboarddata.js
@@ -9,6 +9,7 @@
 
 /**
  * Removes some popular browser quirks out of the clipboard data (HTML).
+ * Removes all HTML comments. Comments are considered as an internal thing and it makes little sense if they leak to editor data.
  *
  * @param {String} data The HTML data to normalize.
  * @returns {String} Normalized HTML.
@@ -23,5 +24,7 @@ export default function normalizeClipboardData( data ) {
 			}
 
 			return spaces;
-		} );
+		} )
+		// Remove all HTML comments.
+		.replace( /<!--[\s\S]*?-->/g, '' );
 }
diff --git a/packages/ckeditor5-clipboard/tests/utils/normalizeclipboarddata.js b/packages/ckeditor5-clipboard/tests/utils/normalizeclipboarddata.js
@@ -57,4 +57,28 @@ describe( 'normalizeClipboardData()', () => {
 			normalizeClipboardData( '<span class="Apple-converted-space"> </span><span foo>  </span><span>a</span>' )
 		).to.equal( ' <span foo>  </span><span>a</span>' );
 	} );
+
+	it( 'should strip HTML comments if clipboard data contains anything but HTML comments', () => {
+		expect(
+			normalizeClipboardData( '<!-- comment 1 --><!-- comment 2 --><!-- comment 3 -->' )
+		).to.equal( '' );
+	} );
+
+	it( 'should strip HTML comments if clipboard data contains anything but multiline HTML comments', () => {
+		expect(
+			normalizeClipboardData( '<!-- multi \n\n\n line \n\n\n comment 1 --><!-- multi \n\n\n line \n\n\n comment 2 -->' )
+		).to.equal( '' );
+	} );
+
+	it( 'should strip HTML comments if clipboard data contains HTML comments mixed with elements', () => {
+		expect(
+			normalizeClipboardData( '<!-- comment 1 --><div><p><!-- comment 2 -->foo<!-- comment 3 --></p></div><!-- comment 4 -->' )
+		).to.equal( '<div><p>foo</p></div>' );
+	} );
+
+	it( 'should strip HTML comments if clipboard data contains multiline HTML comments with commented out elements', () => {
+		expect(
+			normalizeClipboardData( '<p>foo</p><!-- multi \n\n\n line \n\n\n comment \n\n\n with element <p>bar</p> --><p>baz</p>' )
+		).to.equal( '<p>foo</p><p>baz</p>' );
+	} );
 } );