Remove dompurify

To avoid issues with integrating DOMPurify we'll remove it from
the 1.3 branch. Instead update the HTMLSanitizer to remove the
embed and math elements to fix the reported XSS attacks.

.blade.yml

@@ -3,7 +3,6 @@ load_paths:
   - test/vendor
   - assets
   - polyfills
-  - vendor
   - src
 
 logical_paths:

assets/trix-core.coffee

@@ -1,3 +1,2 @@
 #= require trix/banner
 #= require trix/index
-#= require vendor

assets/trix.coffee

@@ -1,4 +1,3 @@
 #= require trix/banner
 #= require polyfills
 #= require trix/index
-#= require vendor

bower.json

@@ -23,7 +23,6 @@
     "assets",
     "bin",
     "polyfills",
-    "vendor",
     "src",
     "test",
     "*.md",

dist/trix.css

@@ -1,6 +1,6 @@
 @charset "UTF-8";
 /*
-Trix 1.3.2
+Trix 1.3.4
 Copyright © 2024 Basecamp, LLC
 http://trix-editor.org/*/
 trix-editor {

package.json

@@ -23,12 +23,8 @@
     "url": "https://github.com/basecamp/trix/issues"
   },
   "homepage": "https://trix-editor.org/",
-  "dependencies": {
-    "dompurify": "^3.2.3"
-  },
   "devDependencies": {
     "@babel/core": "^7.17.8",
-    "@babel/preset-env": "^7.26.0",
     "svgo": "^0.6.1"
   }
 }

src/trix/inspector/index.coffee

@@ -4,7 +4,6 @@
 #= require ./control_element
 #= require_tree ./templates
 #= require_tree ./views
-#= require_tree ./vendor
 
 Trix.Inspector =
   views: []

src/trix/models/html_sanitizer.coffee

@@ -3,7 +3,7 @@
 class Trix.HTMLSanitizer extends Trix.BasicObject
   DEFAULT_ALLOWED_ATTRIBUTES = "style href src width height class".split(" ")
   DEFAULT_FORBIDDEN_PROTOCOLS = "javascript:".split(" ")
-  DEFAULT_FORBIDDEN_ELEMENTS = "script iframe noscript".split(" ")
+  DEFAULT_FORBIDDEN_ELEMENTS = "script iframe form noscript embed math".split(" ")
 
   @setHTML = (element, html) ->
     sanitizer = new this html
@@ -25,7 +25,6 @@ class Trix.HTMLSanitizer extends Trix.BasicObject
   sanitize: ->
     @sanitizeElements()
     @normalizeListElementNesting()
-    DOMPurify.sanitize @body, ADD_ATTR: ["language"], RETURN_DOM: true
 
   getHTML: ->
     @body.innerHTML

test/.blade.yml

@@ -3,7 +3,6 @@ load_paths:
   - vendor
   - ../assets
   - ../polyfills
-  - ../vendor
   - ../src
 
 build:

test/src/system/pasting_test.coffee

@@ -81,7 +81,7 @@ testGroup "Pasting", template: "editor_empty", ->
     window.unsanitized = []
     pasteData =
       "text/plain": "x",
-      "text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/html5&quot;,&quot;content&quot;:&quot;&lt;math&gt;&lt;mtext&gt;&lt;table&gt;&lt;mglyph&gt;&lt;style&gt;&lt;img src=x onerror=alert()&gt;&lt;/style&gt;XSS POC&quot;}\"></div>me"
+      "text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/html5&quot;,&quot;content&quot;:&quot;&lt;math&gt;&lt;mtext&gt;&lt;table&gt;&lt;mglyph&gt;&lt;style&gt;&lt;img src=x onerror=window.unsanitized.push(1)&gt;&lt;/style&gt;XSS POC&quot;}\"></div>me"
 
     pasteContent pasteData, ->
       after 20, ->
@@ -93,7 +93,7 @@ testGroup "Pasting", template: "editor_empty", ->
     window.unsanitized = []
     pasteData =
       "text/plain": "x",
-      "text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/html5&quot;,&quot;content&quot;:&quot;&lt;embed src='javascript:alert(1)'&gt;XSS POC&quot;}\"></div>me"
+      "text/html": "copy<div data-trix-attachment=\"{&quot;contentType&quot;:&quot;text/html5&quot;,&quot;content&quot;:&quot;&lt;embed src='window.unsanitized.push(1)'&gt;XSS POC&quot;}\"></div>me"
 
     pasteContent pasteData, ->
       after 20, ->