Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(tools-api): pasteConfig.tags now supports a sanitize config #2100

Merged
merged 30 commits into from
Nov 21, 2022
Merged

fix(tools-api): pasteConfig.tags now supports a sanitize config #2100

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
818da6a
event handlers function added
robonetphy Jul 16, 2022
52467f0
santization config added
robonetphy Jul 16, 2022
86c8e32
integrate with paste event
robonetphy Jul 16, 2022
a5aaa65
lint removed
robonetphy Jul 16, 2022
bbbd34b
Merge branch 'next' into fix/xss-problem
robonetphy Aug 3, 2022
5338890
remove old changes
robonetphy Aug 3, 2022
a9230d1
object based sanitization configuration support
robonetphy Aug 3, 2022
9131354
paste config updated
robonetphy Aug 25, 2022
2bbd6d0
logic updated
robonetphy Aug 25, 2022
26e557d
extract tag name from paste-config
robonetphy Aug 26, 2022
da2b87d
tool tags added
robonetphy Aug 26, 2022
2acfdee
multi tag sanitization added
robonetphy Aug 26, 2022
18684f8
the comments added
robonetphy Aug 26, 2022
cd631ef
lint removed
robonetphy Aug 26, 2022
3e308d4
Merge branch 'next' into fix/xss-problem
robonetphy Nov 7, 2022
a1f092a
Update types/configs/paste-config.d.ts
robonetphy Nov 7, 2022
dd8d6d6
update the changes
robonetphy Nov 7, 2022
36793eb
lint removed\
robonetphy Nov 7, 2022
f2df84b
return empty array by get tags
robonetphy Nov 11, 2022
0dce253
submoduble reset
robonetphy Nov 11, 2022
cecf49b
Update src/components/modules/paste.ts
robonetphy Nov 11, 2022
8aaff27
changelog added
robonetphy Nov 11, 2022
6cc153b
tool comments added
robonetphy Nov 11, 2022
aae5ee2
chore: docs, code comments updated
neSpecc Nov 11, 2022
b9a3969
fix: xss in processDataTransfer
neSpecc Nov 11, 2022
7fa8040
base tests added
neSpecc Nov 17, 2022
aea30fe
test added
neSpecc Nov 21, 2022
a001c01
rm 'only' from test suite
neSpecc Nov 21, 2022
0373eab
rm log
neSpecc Nov 21, 2022
15857b1
reorder test
neSpecc Nov 21, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions docs/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@
- `Deprecated` — *Styles API* — CSS classes `.cdx-settings-button` and `.cdx-settings-button--active` are not recommended to use. Consider configuring your block settings with new JSON API instead.
- `Fix` — Wrong element not highlighted anymore when popover opened.
- `Fix` — When Tunes Menu open keydown events can not be handled inside plugins.
- `Fix` — If a Tool specifies some tags to substitute on paste, all attributes of that tags will be removed before passing them to the tool. Possible XSS vulnerability fixed.
- `Fix` — Workaround for the HTMLJanitor bug with Tables (https://github.com/guardian/html-janitor/issues/3) added
- `Improvement` — *Tools API* — `pasteConfig().tags` now support sanitizing configuration. It allows you to leave some explicitly specified attributes for pasted content.

### 2.25.0

Expand Down
24 changes: 22 additions & 2 deletions docs/tools.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ To handle pasted HTML elements object returned from `pasteConfig` getter should

For correct work you MUST provide `onPaste` handler at least for `defaultBlock` Tool.

> Example
#### Example

Header Tool can handle `H1`-`H6` tags using paste handling API

Expand All @@ -163,7 +163,27 @@ static get pasteConfig() {
}
```

> Same tag can be handled by one (first specified) Tool only.
**Note. Same tag can be handled by one (first specified) Tool only.**

**Note. All attributes of pasted tag will be removed. To leave some attribute, you should explicitly specify them. Se below**

Let's suppose you want to leave the 'src' attribute when handle pasting of the `img` tags. Your config should look like this:

```javascript
static get pasteConfig() {
return {
tags: [
{
img: {
src: true
}
}
],
}
}
```

[Read more](https://editorjs.io/sanitizer) about the sanitizing configuration.

### RegExp patterns handling

Expand Down
16 changes: 9 additions & 7 deletions src/components/dom.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ export default class Dom {
*
* @returns {HTMLElement}
*/
public static make(tagName: string, classNames: string|string[] = null, attributes: object = {}): HTMLElement {
public static make(tagName: string, classNames: string | string[] = null, attributes: object = {}): HTMLElement {
const el = document.createElement(tagName);

if (Array.isArray(classNames)) {
Expand Down Expand Up @@ -109,8 +109,8 @@ export default class Dom {
* @param {Element|Element[]|DocumentFragment|Text|Text[]} elements - element or elements list
*/
public static append(
parent: Element|DocumentFragment,
elements: Element|Element[]|DocumentFragment|Text|Text[]
parent: Element | DocumentFragment,
elements: Element | Element[] | DocumentFragment | Text | Text[]
): void {
if (Array.isArray(elements)) {
elements.forEach((el) => parent.appendChild(el));
Expand All @@ -125,7 +125,7 @@ export default class Dom {
* @param {Element} parent - where to append
* @param {Element|Element[]} elements - element or elements list
*/
public static prepend(parent: Element, elements: Element|Element[]): void {
public static prepend(parent: Element, elements: Element | Element[]): void {
if (Array.isArray(elements)) {
elements = elements.reverse();
elements.forEach((el) => parent.prepend(el));
Expand Down Expand Up @@ -168,7 +168,7 @@ export default class Dom {
*
* @returns {Element}
*/
public static find(el: Element|Document = document, selector: string): Element {
public static find(el: Element | Document = document, selector: string): Element {
return el.querySelector(selector);
}

Expand All @@ -192,7 +192,7 @@ export default class Dom {
*
* @returns {NodeList}
*/
public static findAll(el: Element|Document = document, selector: string): NodeList {
public static findAll(el: Element | Document = document, selector: string): NodeList {
return el.querySelectorAll(selector);
}

Expand Down Expand Up @@ -523,6 +523,8 @@ export default class Dom {
'ruby',
'section',
'table',
'tbody',
'thead',
'tr',
'tfoot',
'ul',
Expand Down Expand Up @@ -619,7 +621,7 @@ export default class Dom {
* @todo handle case when editor initialized in scrollable popup
* @param el - element to compute offset
*/
public static offset(el): {top: number; left: number; right: number; bottom: number} {
public static offset(el): { top: number; left: number; right: number; bottom: number } {
const rect = el.getBoundingClientRect();
const scrollLeft = window.pageXOffset || document.documentElement.scrollLeft;
const scrollTop = window.pageYOffset || document.documentElement.scrollTop;
Expand Down
Loading