Merge pull request #747 from jnguyen32/xss-bug-fix-issue-724

XSS bug fix issue #724: XSS issue when importing through getHTML() function
2020-07-08 08:57:14 +02:00
parent 92eb2c61cc 02ee4a571c
commit aac9e7d674
3 changed files with 20574 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
+.history
 .DS_Store
 node_modules
 dist/
--- a/package-lock.json
+++ b/package-lock.json
--- a/packages/tiptap/src/Editor.js
+++ b/packages/tiptap/src/Editor.js
@@ -272,9 +272,9 @@ export default class Editor extends Emitter {
    }

    if (typeof content === 'string') {
-      const element = document.createElement('div')
-      element.innerHTML = content.trim()
-
+      const htmlString = `<div>${content}</div>`;
+      const parser = new window.DOMParser;
+      const element = parser.parseFromString(htmlString, "text/html").body;
      return DOMParser.fromSchema(this.schema).parse(element, parseOptions)
    }