From 7f81c6f5353b96b872d574135153aa6618b8c933 Mon Sep 17 00:00:00 2001
From: Jedr Blaszyk <jedrazb@gmail.com>
Date: Sat, 20 Jun 2026 22:23:32 +0200
Subject: [PATCH] fix(core): harden clipboard HTML paste against XSS and ReDoS

Sanitize pasted clipboard HTML with DOMPurify and parse it into an
inert document instead of assigning it to innerHTML, so embedded
scripts, event handlers, and javascript: URLs cannot run. Replace the
regex-based Word comment stripping with a single linear scan that
cannot backtrack polynomially on hostile input and never leaves a
stray comment opener behind.

Resolves CodeQL js/xss, js/incomplete-multi-character-sanitization,
and js/polynomial-redos in packages/core/src/utils/clipboard.ts.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .changeset/clipboard-html-hardening.md        |   5 +
 bun.lock                                      |  17 ++-
 packages/core/package.json                    |   1 +
 .../utils/__tests__/clipboard-html.test.ts    | 104 +++++++++++++++++
 packages/core/src/utils/clipboard.ts          | 105 ++++++++++++++++--
 5 files changed, 218 insertions(+), 14 deletions(-)
 create mode 100644 .changeset/clipboard-html-hardening.md
 create mode 100644 packages/core/src/utils/__tests__/clipboard-html.test.ts

diff --git a/.changeset/clipboard-html-hardening.md b/.changeset/clipboard-html-hardening.md
new file mode 100644
index 000000000..b9792647f
--- /dev/null
+++ b/.changeset/clipboard-html-hardening.md
@@ -0,0 +1,5 @@
+---
+'@eigenpal/docx-editor-core': patch
+---
+
+Harden clipboard HTML paste against script injection and slow-input denial of service. Pasted HTML is now sanitized (via DOMPurify) and parsed into an inert document instead of being assigned to `innerHTML`, so embedded scripts, event handlers, and `javascript:` URLs cannot run. Word comment stripping and Office/Word namespace-tag removal now use linear scans that cannot backtrack on hostile input or leave a stray comment opener behind.
diff --git a/bun.lock b/bun.lock
index 46eacec43..e191e27da 100644
--- a/bun.lock
+++ b/bun.lock
@@ -238,7 +238,7 @@
     },
     "packages/agents": {
       "name": "@eigenpal/docx-editor-agents",
-      "version": "1.5.0",
+      "version": "1.8.3",
       "dependencies": {
         "docxtemplater": "^3.50.0",
         "jszip": "^3.10.1",
@@ -269,12 +269,13 @@
     },
     "packages/core": {
       "name": "@eigenpal/docx-editor-core",
-      "version": "1.5.0",
+      "version": "1.8.3",
       "bin": {
         "docx-editor-mcp": "./dist/mcp-cli.mjs",
       },
       "dependencies": {
         "docxtemplater": "^3.50.0",
+        "dompurify": "^3.2.0",
         "jszip": "^3.10.1",
         "pizzip": "^3.1.7",
         "xml-js": "^1.6.11",
@@ -305,7 +306,7 @@
     },
     "packages/i18n": {
       "name": "@eigenpal/docx-editor-i18n",
-      "version": "1.5.0",
+      "version": "1.8.3",
       "devDependencies": {
         "tsup": "^8.0.1",
         "typescript": "^5.3.3",
@@ -313,7 +314,7 @@
     },
     "packages/nuxt": {
       "name": "@eigenpal/nuxt-docx-editor",
-      "version": "1.5.0",
+      "version": "1.8.3",
       "dependencies": {
         "@eigenpal/docx-editor-vue": "^1.0.3",
         "@nuxt/kit": "^3.14.0 || ^4.0.0",
@@ -339,7 +340,7 @@
     },
     "packages/react": {
       "name": "@eigenpal/docx-editor-react",
-      "version": "1.5.0",
+      "version": "1.8.3",
       "dependencies": {
         "@eigenpal/docx-editor-agents": "^1.5.0",
         "@eigenpal/docx-editor-core": "^1.5.0",
@@ -379,7 +380,7 @@
     },
     "packages/vue": {
       "name": "@eigenpal/docx-editor-vue",
-      "version": "1.5.0",
+      "version": "1.8.3",
       "dependencies": {
         "@eigenpal/docx-editor-agents": "^1.3.1",
         "@eigenpal/docx-editor-core": "^1.3.1",
@@ -1245,6 +1246,8 @@
 
     "@types/resolve": ["@types/resolve@1.20.2", "", {}, "sha512-60BCwRFOZCQhDncwQdxxeOEEkbc5dIMccYLwbxsS4TUNeVECQ/pBJ0j09mrHOl/JJvpRPGwO9SvE4nR2Nb/a4Q=="],
 
+    "@types/trusted-types": ["@types/trusted-types@2.0.7", "", {}, "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw=="],
+
     "@types/unist": ["@types/unist@3.0.3", "", {}, "sha512-ko/gIFJRv177XgZsZcBwnqJN5x/Gien8qNOn0D5bQU/zAzVf9Zt3BlcUiLqhV9y4ARk0GbT3tnUiPNgnTXzc/Q=="],
 
     "@types/whatwg-mimetype": ["@types/whatwg-mimetype@3.0.2", "", {}, "sha512-c2AKvDT8ToxLIOUlN51gTiHXflsfIFisS4pO7pDPoKouJCESkhZnEy623gwP9laCy5lnLDAw1vAzu2vM2YLOrA=="],
@@ -1729,6 +1732,8 @@
 
     "domhandler": ["domhandler@5.0.3", "", { "dependencies": { "domelementtype": "^2.3.0" } }, "sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w=="],
 
+    "dompurify": ["dompurify@3.4.10", "", { "optionalDependencies": { "@types/trusted-types": "^2.0.7" } }, "sha512-0xzNv0e7oYC6yyuOGZIABPM4qtg3QxLFniDNPP4ZP90wR8Yq3zgwpRbrNiT4N3IKqDbbYFEJLV+JWEs19aZ//w=="],
+
     "domutils": ["domutils@3.2.2", "", { "dependencies": { "dom-serializer": "^2.0.0", "domelementtype": "^2.3.0", "domhandler": "^5.0.3" } }, "sha512-6kZKyUajlDuqlHKVX1w7gyslj9MPIXzIFiz/rGu35uC1wMi+kMhQwGhl4lt9unC9Vb9INnY9Z3/ZA3+FhASLaw=="],
 
     "dot-prop": ["dot-prop@10.1.0", "", { "dependencies": { "type-fest": "^5.0.0" } }, "sha512-MVUtAugQMOff5RnBy2d9N31iG0lNwg1qAoAOn7pOK5wf94WIaE3My2p3uwTQuvS2AcqchkcR3bHByjaM0mmi7Q=="],
diff --git a/packages/core/package.json b/packages/core/package.json
index 1e712eb90..6d6003378 100644
--- a/packages/core/package.json
+++ b/packages/core/package.json
@@ -608,6 +608,7 @@
   },
   "dependencies": {
     "docxtemplater": "^3.50.0",
+    "dompurify": "^3.2.0",
     "jszip": "^3.10.1",
     "pizzip": "^3.1.7",
     "xml-js": "^1.6.11"
diff --git a/packages/core/src/utils/__tests__/clipboard-html.test.ts b/packages/core/src/utils/__tests__/clipboard-html.test.ts
new file mode 100644
index 000000000..791124f82
--- /dev/null
+++ b/packages/core/src/utils/__tests__/clipboard-html.test.ts
@@ -0,0 +1,104 @@
+import { GlobalRegistrator } from '@happy-dom/global-registrator';
+import { afterAll, beforeAll, describe, expect, test } from 'bun:test';
+
+import { cleanWordHtml, htmlToRuns } from '../clipboard';
+
+// htmlToRuns binds DOMPurify to the live window lazily on first call, so a
+// window registered before any test runs is sufficient.
+beforeAll(() => GlobalRegistrator.register());
+afterAll(() => GlobalRegistrator.unregister());
+
+describe('cleanWordHtml comment stripping', () => {
+  test('removes plain HTML comments', () => {
+    expect(cleanWordHtml('a<!-- hidden -->b')).toBe('ab');
+  });
+
+  test('removes Word downlevel conditional comments', () => {
+    const html = 'x<!--[if gte mso 9]><xml>junk</xml><![endif]-->y';
+    expect(cleanWordHtml(html)).toBe('xy');
+  });
+
+  test('leaves no stray "<!--" when a comment is unterminated', () => {
+    // Incomplete-multi-character-sanitization regression: a lone, unterminated
+    // comment opener must not survive the cleanup.
+    expect(cleanWordHtml('safe<!--dangling')).not.toContain('<!--');
+  });
+
+  test('stays linear on adversarial conditional-comment input (no ReDoS)', () => {
+    // Polynomial-ReDoS regression: a long run of conditional-comment openers
+    // used to backtrack quadratically. This must finish near-instantly.
+    const evil = '<!--[if '.repeat(50_000);
+    const start = performance.now();
+    cleanWordHtml(evil);
+    expect(performance.now() - start).toBeLessThan(5_000);
+  });
+});
+
+describe('cleanWordHtml namespace-tag stripping', () => {
+  test('removes paired o:/w: namespace blocks and their content', () => {
+    expect(cleanWordHtml('a<o:p>junk</o:p>b')).toBe('ab');
+    expect(cleanWordHtml('a<w:p>junk</w:p>b')).toBe('ab');
+    // First-close-wins (same as the prior lazy regex): the inner close pairs
+    // with the opener, leaving the trailing close tag behind.
+    expect(cleanWordHtml('a<o:x>1</o:y>2</o:z>b')).toBe('a2</o:z>b');
+  });
+
+  test('strips namespace tags case-insensitively (matches the prior /gi regex)', () => {
+    expect(cleanWordHtml('a<O:P>junk</O:P>b')).toBe('ab');
+    expect(cleanWordHtml('a<W:sdt>junk</w:Sdt>b')).toBe('ab');
+  });
+
+  test('removes self-closing o:/w: tags', () => {
+    expect(cleanWordHtml('a<o:p/>b')).toBe('ab');
+  });
+
+  test('keeps content when a namespace opener has no closing tag', () => {
+    // Matches the prior lazy-regex behavior: an unmatched opener is left as-is.
+    expect(cleanWordHtml('keep<o:p>this')).toContain('this');
+  });
+
+  test('stays linear on many unterminated namespace openers (no ReDoS)', () => {
+    // `/<o:[^>]*>[\s\S]*?<\/o:[^>]*>/` backtracked quadratically here.
+    const evil = '<o:p>'.repeat(200_000);
+    const start = performance.now();
+    cleanWordHtml(evil);
+    expect(performance.now() - start).toBeLessThan(5_000);
+  });
+});
+
+describe('htmlToRuns sanitizes and does not execute markup', () => {
+  const runText = (runs: ReturnType<typeof htmlToRuns>): string =>
+    runs
+      .flatMap((r) => r.content ?? [])
+      .map((c) => ('text' in c ? c.text : ''))
+      .join('');
+
+  // NOTE on coverage: these tests verify text extraction and the security
+  // boundary (no script/handler execution, no global mutation). They do NOT
+  // assert that visual formatting (bold/color/font) survives, because under
+  // happy-dom DOMPurify strips formatting tags/attributes. In a real browser
+  // (and jsdom) DOMPurify's default allowlist keeps `<b>/<i>/<u>/<span>` and
+  // the `style` attribute, so consumers calling htmlToRuns get formatting
+  // intact; that path is the DOMPurify default, not asserted here.
+  test('extracts text from pasted HTML', () => {
+    const runs = htmlToRuns('<p>Hello <b>world</b></p>', 'Hello world');
+    expect(runText(runs)).toContain('Hello');
+    expect(runText(runs)).toContain('world');
+  });
+
+  test('does not execute or leak injected handlers/scripts', () => {
+    const g = globalThis as Record<string, unknown>;
+    delete g.__pwned;
+    for (const payload of [
+      '<img src=x onerror="globalThis.__pwned=1">hi',
+      '<svg onload="globalThis.__pwned=1"></svg>hi',
+      '<a href="javascript:globalThis.__pwned=1">hi</a>',
+    ]) {
+      const runs = htmlToRuns(payload, 'hi');
+      // No handler fires (DOMPurify strips them; parsing is inert anyway), and
+      // benign text still comes through.
+      expect(g.__pwned).toBeUndefined();
+      expect(runText(runs)).toContain('hi');
+    }
+  });
+});
diff --git a/packages/core/src/utils/clipboard.ts b/packages/core/src/utils/clipboard.ts
index 4d674a8f8..0c976f9d4 100644
--- a/packages/core/src/utils/clipboard.ts
+++ b/packages/core/src/utils/clipboard.ts
@@ -8,9 +8,21 @@
  * - Ctrl+C, Ctrl+V, Ctrl+X keyboard shortcuts
  */
 
+import createDOMPurify from 'dompurify';
+
 import type { Run, TextFormatting, Paragraph, Theme } from '../types/document';
 import { resolveColorToHex } from './colorResolver';
 
+// dompurify's default export only auto-binds `sanitize` to a `window` that
+// exists at import time (always true in the browser). Bind explicitly to the
+// live window on first use so it also works when a DOM is installed after this
+// module is evaluated (e.g. test environments). The default export is callable
+// as a factory whether it is the bare factory or an already-bound instance.
+let domPurify: ReturnType<typeof createDOMPurify> | undefined;
+function getDomPurify(): ReturnType<typeof createDOMPurify> {
+  return (domPurify ??= createDOMPurify(window));
+}
+
 // ============================================================================
 // TYPES
 // ============================================================================
@@ -412,25 +424,96 @@ export function isEditorHtml(html: string): boolean {
   );
 }
 
+/**
+ * Strip every HTML comment, including downlevel conditional comments
+ * (`<!--[if ...]> ... <![endif]-->`).
+ *
+ * Uses a single linear scan instead of a regex: clipboard HTML is
+ * attacker-controlled, and a lazy `<!--[\s\S]*?-->` against a multi-character
+ * terminator backtracks polynomially. The scan also guarantees no stray
+ * `<!--` survives (an unterminated comment is dropped through end-of-string),
+ * which a single regex pass cannot promise.
+ */
+function stripHtmlComments(html: string): string {
+  let result = '';
+  let i = 0;
+  while (i < html.length) {
+    const start = html.indexOf('<!--', i);
+    if (start === -1) {
+      result += html.slice(i);
+      break;
+    }
+    result += html.slice(i, start);
+    const end = html.indexOf('-->', start + 4);
+    if (end === -1) {
+      // Unterminated comment: drop the remainder so no `<!--` can leak through.
+      break;
+    }
+    i = end + 3;
+  }
+  return result;
+}
+
+/**
+ * Remove `<prefix...> ... </prefix...>` element blocks (e.g. Office `<o:...>`
+ * and Word `<w:...>` namespaced tags) from attacker-controlled clipboard HTML.
+ *
+ * Linear scan instead of `/<prefix[^>]*>[\s\S]*?<\/prefix[^>]*>/gi`: that lazy
+ * pattern backtracks polynomially (O(n^2)) on hostile input with many openers
+ * and no close tag. Mirrors the regex's first-close-wins semantics — each
+ * opener is paired with the next close tag anywhere ahead; an opener with no
+ * close tag anywhere is left intact (exactly what the lazy regex did).
+ */
+function stripPairedNamespaceTags(html: string, prefix: string): string {
+  const open = '<' + prefix;
+  const close = '</' + prefix;
+  // Search case-insensitively to match the `/gi` regex this replaced (Word can
+  // emit `<o:p>` in any case). Tag markers are located in a lowercased copy;
+  // slices are taken from the original `html` so kept text keeps its casing.
+  const lower = html.toLowerCase();
+  let result = '';
+  let i = 0;
+  while (i < html.length) {
+    const start = lower.indexOf(open, i);
+    if (start === -1) {
+      result += html.slice(i);
+      break;
+    }
+    const openTagEnd = html.indexOf('>', start);
+    const closeStart = openTagEnd === -1 ? -1 : lower.indexOf(close, openTagEnd + 1);
+    const closeTagEnd = closeStart === -1 ? -1 : html.indexOf('>', closeStart);
+    if (closeTagEnd === -1) {
+      // No complete `<prefix...>...</prefix...>` remains anywhere ahead, so no
+      // later opener can be paired either. Keep the rest verbatim and stop —
+      // this is what makes the scan linear (no rescanning for every opener).
+      result += html.slice(i);
+      break;
+    }
+    // Drop the whole block, keeping the text before this opener.
+    result += html.slice(i, start);
+    i = closeTagEnd + 1;
+  }
+  return result;
+}
+
 /**
  * Clean Microsoft Word HTML
  */
 export function cleanWordHtml(html: string): string {
   let cleaned = html;
 
-  // Remove Word-specific comments
-  cleaned = cleaned.replace(/<!--\[if[\s\S]*?<!\[endif\]-->/gi, '');
-  cleaned = cleaned.replace(/<!--[\s\S]*?-->/g, '');
+  // Remove Word-specific (and all other) HTML comments
+  cleaned = stripHtmlComments(cleaned);
 
   // Remove XML declarations
   cleaned = cleaned.replace(/<\?xml[^>]*>/gi, '');
 
-  // Remove o: (Office) namespace tags
-  cleaned = cleaned.replace(/<o:[^>]*>[\s\S]*?<\/o:[^>]*>/gi, '');
+  // Remove o: (Office) namespace tags (linear scan; see stripPairedNamespaceTags)
+  cleaned = stripPairedNamespaceTags(cleaned, 'o:');
   cleaned = cleaned.replace(/<o:[^>]*\/>/gi, '');
 
   // Remove w: (Word) namespace tags
-  cleaned = cleaned.replace(/<w:[^>]*>[\s\S]*?<\/w:[^>]*>/gi, '');
+  cleaned = stripPairedNamespaceTags(cleaned, 'w:');
   cleaned = cleaned.replace(/<w:[^>]*\/>/gi, '');
 
   // Remove mso styles but keep other styles
@@ -463,8 +546,14 @@ export function htmlToRuns(html: string, plainTextFallback: string): Run[] {
     return plainTextFallback ? [createTextRun(plainTextFallback)] : [];
   }
 
-  const container = document.createElement('div');
-  container.innerHTML = html;
+  // Sanitize the attacker-controlled clipboard HTML at this trust boundary
+  // (scripts, event handlers, javascript: URLs, dangerous tags all stripped),
+  // then parse the cleaned markup into an inert document. We only walk the
+  // resulting node tree for text and formatting — nothing is ever inserted
+  // into the live DOM.
+  const sanitized = getDomPurify().sanitize(html);
+  const parsed = new DOMParser().parseFromString(sanitized, 'text/html');
+  const container = parsed.body;
 
   const runs: Run[] = [];
   processNode(container, runs, {});