Clean HTML before pasting in tinymce

If the user decides to copy-paste HTML (like from another OpenSlides motion detail)
 - remove all classes
 - remove data-line-number="X"
 - remove contenteditable="false"

Not doing so would save control sequences from diff/linenumbering into the
model which will open pandoras pox during PDF generation (and potentially web view)
This commit is contained in:
Sean 2021-08-19 18:55:23 +02:00
parent 8c7a770f9b
commit eab60ab31a

View File

@ -67,7 +67,8 @@ export abstract class BaseComponent {
plugins: ['autosave', 'lists', 'autolink'] plugins: ['autosave', 'lists', 'autolink']
}, },
relative_urls: false, relative_urls: false,
remove_script_host: true remove_script_host: true,
paste_preprocess: this.pastePreprocess
}; };
public constructor(protected titleService: Title, protected translate: TranslateService) { public constructor(protected titleService: Title, protected translate: TranslateService) {
@ -75,6 +76,29 @@ export abstract class BaseComponent {
this.tinyMceSettings.language = this.translate.currentLang; this.tinyMceSettings.language = this.translate.currentLang;
} }
/**
* Clean pasted HTML.
* If the user decides to copy-paste HTML (like from another OpenSlides motion detail)
* - remove all classes
* - remove data-line-number="X"
* - remove contenteditable="false"
*
* Not doing so would save control sequences from diff/linenumbering into the
* model which will open pandoras pox during PDF generation (and potentially web view)
* @param _
* @param args
*/
private pastePreprocess(_: any, args: any): void {
const getClassesRe: RegExp = new RegExp(/\s*class\=\"[\w\W]*?\"/, 'gi');
const getDataLineNumberRe: RegExp = new RegExp(/\s*data-line-number\=\"\d+\"/, 'gi');
const getContentEditableRe: RegExp = new RegExp(/\s*contenteditable\=\"\w+\"/, 'gi');
const cleanedContent = (args.content as string)
.replace(getClassesRe, '')
.replace(getDataLineNumberRe, '')
.replace(getContentEditableRe, '');
args.content = cleanedContent;
}
/** /**
* Set the title in web browser using angulars TitleService * Set the title in web browser using angulars TitleService
* @param prefix The title prefix. Should be translated here. * @param prefix The title prefix. Should be translated here.