Use DOMParser to safely parse html without script execution

[RyanV]

Fix for #2224

DOMParser will safely parse html without executing scripts or inline javascript handlers. It will also automatically put script tags in the head of the document which we should be able to safely ignore.
This implementation does change the resulting delta of the paste by not the script content as text.

Issue #2224 identifies another issue where inline event handlers can execute javascript from non script tags. I was unable to create a failing test with an img.onerror handler defined even though the failed img src request can be seen in the test report. I can continue to work on this if necessary. Here is the test:

it('does not execute javascript', function() {
    window.unsafeFunction = jasmine.createSpy('unsafeFunction');
    const html = "<img src='a' onerror='window.unsafeFunction()'/>";
    this.clipboard.convert({ html });
    expect(window.unsafeFunction).not.toHaveBeenCalled();
    delete window.unsafeFunction;
});

[jhchen]

Thanks @RyanV! Can you add the test here into test/unit/modules/clipboard.js as well?

[RyanV]

@jhchen as mentioned, there is an issue with karma firing the on error callback, but only in the test. I can explore the issue more

[jhchen]

Can you try onload instead of onerror and using src="/assets/favicon.png"?

[RyanV]

yup, onload worked fine. updated branch with test.

[RyanV]

Any ideas why Travis is failing? looks like it's can't find the Karma executable sh: 1: karma: not found

[jhchen]

The karma issue seems like a bad cache -- I removed it and it got past but then complained about credentials. Will have to look more into the latter issue. Thanks for the bug-fix and tests!

[RyanV]

👍