Merge pull request from GHSA-gpfj-4j6g-c4w9

Kristján Oddsson · web-flow · commit 32b7ea3f29ae · 2021-08-12T13:24:46.000+01:00
Fix Clipboard-based DOM XSS
diff --git a/src/paste-markdown-table.ts b/src/paste-markdown-table.ts
@@ -87,9 +87,10 @@ function generateText(transfer: DataTransfer): string | undefined {
   const html = transfer.getData('text/html')
   if (!/<table/i.test(html)) return
 
-  const el = document.createElement('div')
-  el.innerHTML = html
-  let table = el.querySelector('table')
+  const parser = new DOMParser()
+  const parsedDocument = parser.parseFromString(html, 'text/html')
+
+  let table = parsedDocument.querySelector('table')
   table = !table || table.closest('[data-paste-markdown-skip]') ? null : table
   if (!table) return
 
diff --git a/test/test.js b/test/test.js
@@ -38,6 +38,21 @@ describe('paste-markdown', function () {
       assert.include(textarea.value, 'name | origin\n-- | --\nhubot | github\nbender | futurama')
     })
 
+    it("doesn't execute JavaScript", async function () {
+      let alertCalled = false
+      window.secretFunction = function () {
+        alertCalled = true
+      }
+      const data = {
+        'text/html': `XSS<img/src/onerror=secretFunction()><table>`
+      }
+      paste(textarea, data)
+
+      await wait(100)
+
+      assert.isFalse(alertCalled, 'A XSS was possible as alert was called')
+    })
+
     it('retains text around tables', async function () {
       const data = {
         'text/html': `
@@ -97,3 +112,7 @@ function paste(textarea, data) {
   })
   textarea.dispatchEvent(event)
 }
+
+function wait(ms) {
+  return new Promise(resolve => setTimeout(resolve, ms))
+}
