From eab60ab31a0331d2cd5f584bd28713a0a6ddb1a2 Mon Sep 17 00:00:00 2001 From: Sean Date: Thu, 19 Aug 2021 18:55:23 +0200 Subject: [PATCH] Clean HTML before pasting in tinymce If the user decides to copy-paste HTML (like from another OpenSlides motion detail) - remove all classes - remove data-line-number="X" - remove contenteditable="false" Not doing so would save control sequences from diff/linenumbering into the model which will open pandoras pox during PDF generation (and potentially web view) --- client/src/app/base.component.ts | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/client/src/app/base.component.ts b/client/src/app/base.component.ts index 74da24608..d68b57d3a 100644 --- a/client/src/app/base.component.ts +++ b/client/src/app/base.component.ts @@ -67,7 +67,8 @@ export abstract class BaseComponent { plugins: ['autosave', 'lists', 'autolink'] }, relative_urls: false, - remove_script_host: true + remove_script_host: true, + paste_preprocess: this.pastePreprocess }; public constructor(protected titleService: Title, protected translate: TranslateService) { @@ -75,6 +76,29 @@ export abstract class BaseComponent { this.tinyMceSettings.language = this.translate.currentLang; } + /** + * Clean pasted HTML. + * If the user decides to copy-paste HTML (like from another OpenSlides motion detail) + * - remove all classes + * - remove data-line-number="X" + * - remove contenteditable="false" + * + * Not doing so would save control sequences from diff/linenumbering into the + * model which will open pandoras pox during PDF generation (and potentially web view) + * @param _ + * @param args + */ + private pastePreprocess(_: any, args: any): void { + const getClassesRe: RegExp = new RegExp(/\s*class\=\"[\w\W]*?\"/, 'gi'); + const getDataLineNumberRe: RegExp = new RegExp(/\s*data-line-number\=\"\d+\"/, 'gi'); + const getContentEditableRe: RegExp = new RegExp(/\s*contenteditable\=\"\w+\"/, 'gi'); + const cleanedContent = (args.content as string) + .replace(getClassesRe, '') + .replace(getDataLineNumberRe, '') + .replace(getContentEditableRe, ''); + args.content = cleanedContent; + } + /** * Set the title in web browser using angulars TitleService * @param prefix The title prefix. Should be translated here.