From a2a6099181d8d1d2fbdb27617a7bb33589825a9a Mon Sep 17 00:00:00 2001
From: Alan <alan@roojs.com>
Date: Mon, 11 Sep 2023 10:56:13 +0800
Subject: [PATCH] paste filtering should be stricter than sync

---
 docs/src/Roo_HtmlEditorCore.js.html | 30 +++++++++++++++--------------
 roojs-bootstrap-debug.js            |  6 ++++--
 roojs-bootstrap.js                  | 18 ++++++++---------
 3 files changed, 29 insertions(+), 25 deletions(-)

diff --git a/docs/src/Roo_HtmlEditorCore.js.html b/docs/src/Roo_HtmlEditorCore.js.html
index f0c3f2bfde..c1d85f0fac 100644
--- a/docs/src/Roo_HtmlEditorCore.js.html
+++ b/docs/src/Roo_HtmlEditorCore.js.html
@@ -699,20 +699,22 @@
                     </span><span class="jsdoc-string">'name'</span><span class="jsdoc-syntax">,
                     </span><span class="jsdoc-string">'align'</span><span class="jsdoc-syntax">,
                     </span><span class="jsdoc-string">'colspan'</span><span class="jsdoc-syntax">,
-                    </span><span class="jsdoc-string">'rowspan'</span><span class="jsdoc-syntax">,
-                    </span><span class="jsdoc-string">'data-display'</span><span class="jsdoc-syntax">,
-                    </span><span class="jsdoc-string">'data-caption-display'</span><span class="jsdoc-syntax">,
-                    </span><span class="jsdoc-string">'data-width'</span><span class="jsdoc-syntax">,
-                    </span><span class="jsdoc-string">'data-caption'</span><span class="jsdoc-syntax">,
-                    </span><span class="jsdoc-string">'start' </span><span class="jsdoc-syntax">,
-                    </span><span class="jsdoc-string">'style'</span><span class="jsdoc-syntax">,
-                    </span><span class="jsdoc-comment">// youtube embed.
-                    </span><span class="jsdoc-string">'class'</span><span class="jsdoc-syntax">,
-                    </span><span class="jsdoc-string">'allowfullscreen'</span><span class="jsdoc-syntax">,
-                    </span><span class="jsdoc-string">'frameborder'</span><span class="jsdoc-syntax">,
-                    </span><span class="jsdoc-string">'width'</span><span class="jsdoc-syntax">,
-                    </span><span class="jsdoc-string">'height'</span><span class="jsdoc-syntax">,
-                    </span><span class="jsdoc-string">'alt'
+                    </span><span class="jsdoc-string">'rowspan'
+                </span><span class="jsdoc-comment">/*  THESE ARE NOT ALLWOED FOR PASTE
+                 *    'data-display',
+                    'data-caption-display',
+                    'data-width',
+                    'data-caption',
+                    'start' ,
+                    'style',
+                    // youtube embed.
+                    'class',
+                    'allowfullscreen',
+                    'frameborder',
+                    'width',
+                    'height',
+                    'alt'
+                    */
                     </span><span class="jsdoc-syntax">],
                 </span><span class="jsdoc-var">attrib_clean </span><span class="jsdoc-syntax">: [</span><span class="jsdoc-string">'href'</span><span class="jsdoc-syntax">, </span><span class="jsdoc-string">'src' </span><span class="jsdoc-syntax">]
             });
diff --git a/roojs-bootstrap-debug.js b/roojs-bootstrap-debug.js
index ef5098bbea..7022c7c271 100644
--- a/roojs-bootstrap-debug.js
+++ b/roojs-bootstrap-debug.js
@@ -31775,8 +31775,9 @@ Roo.extend(Roo.HtmlEditorCore, Roo.Component,  {
                     'name',
                     'align',
                     'colspan',
-                    'rowspan',
-                    'data-display',
+                    'rowspan' 
+                /*  THESE ARE NOT ALLWOED FOR PASTE
+                 *    'data-display',
                     'data-caption-display',
                     'data-width',
                     'data-caption',
@@ -31789,6 +31790,7 @@ Roo.extend(Roo.HtmlEditorCore, Roo.Component,  {
                     'width',
                     'height',
                     'alt'
+                    */
                     ],
                 attrib_clean : ['href', 'src' ] 
             });
diff --git a/roojs-bootstrap.js b/roojs-bootstrap.js
index ab86e6d24d..a6955bf58c 100644
--- a/roojs-bootstrap.js
+++ b/roojs-bootstrap.js
@@ -1373,15 +1373,15 @@ var r=new FileReader();var t=this;r.addEventListener('load',function(){var d=(ne
 }var B=[];var C=cd.getData('text/html');if(cd.types.indexOf('text/rtf')>-1){var D=new Roo.rtf.Parser(cd.getData('text/rtf'));B=D.doc?D.doc.getElementsByType('pict'):[];}B=B.filter(function(g){return !g.path.match(/^rtf\/(head|pgdsctbl|listtable|footerf)/);
 }).map(function(g){return g.toDataURL();}).filter(function(g){return g!='about:blank';});C=this.cleanWordChars(C);var d=(new DOMParser().parseFromString(C,'text/html')).body;var sn=this.getParentElement();if(d.getElementsByTagName('table').length&&sn&&sn.closest('table')){e.preventDefault();
 this.insertAtCursor("You can not nest tables");return false;}if(B.length>0){var ar=Array.from(d.getElementsByTagName('v:imagedata'));Roo.each(ar,function(E){E.parentNode.insertBefore(d.ownerDocument.createElement('img'),E);E.parentNode.removeChild(E);});Roo.each(d.getElementsByTagName('img'),function(E,i){E.setAttribute('src',B[i]);
-});}if(this.autoClean){new Roo.htmleditor.FilterWord({node:d});new Roo.htmleditor.FilterStyleToTag({node:d});new Roo.htmleditor.FilterAttributes({node:d,attrib_white:['href','src','name','align','colspan','rowspan','data-display','data-caption-display','data-width','data-caption','start','style','class','allowfullscreen','frameborder','width','height','alt'],attrib_clean:['href','src']}
-);new Roo.htmleditor.FilterBlack({node:d,tag:this.black});new Roo.htmleditor.FilterKeepChildren({node:d,tag:['FONT',':']});new Roo.htmleditor.FilterParagraph({node:d});new Roo.htmleditor.FilterSpan({node:d});new Roo.htmleditor.FilterLongBr({node:d});new Roo.htmleditor.FilterComment({node:d}
-);}if(this.enableBlocks){Array.from(d.getElementsByTagName('img')).forEach(function(E){if(E.closest('figure')){return;}var F=new Roo.htmleditor.BlockFigure({image_src:E.src});F.updateElement(E);});}this.insertAtCursor(d.innerHTML.replace(/&nbsp;/g,' '));if(this.enableBlocks){Roo.htmleditor.Block.initAll(this.doc.body);
-}e.preventDefault();this.owner.fireEvent('paste',this);return false;},onDestroy:function(){if(this.rendered){}},onFirstFocus:function(){this.assignDocWin();this.undoManager=new Roo.lib.UndoManager(100,(this.doc.body||this.doc.documentElement));this.activated=true;
-if(Roo.isGecko){this.win.focus();var s=this.win.getSelection();if(!s.focusNode||s.focusNode.nodeType!=3){var r=s.getRangeAt(0);r.selectNodeContents((this.doc.body||this.doc.documentElement));r.collapse(true);this.deferFocus();}try{this.execCmd('useCSS',true);
-this.execCmd('styleWithCSS',false);}catch(e){}}this.owner.fireEvent('activate',this);},adjustFont:function(A){var B=A.cmd=='increasefontsize'?1:-1;var v=parseInt(this.doc.queryCommandValue('FontSize')||3,10);if(Roo.isSafari){var sm={10:1,13:2,16:3,18:4,24:5,32:6,48:7}
-;v=(v<10)?10:v;v=(v>48)?48:v;v=typeof(sm[v])=='undefined'?1:sm[v];}v=Math.max(1,v+B);this.execCmd('FontSize',v);},onEditorEvent:function(e){if(e&&(e.ctrlKey||e.metaKey)&&e.keyCode===90){return;}if(e&&e.target.nodeName=='BODY'&&e.type=="mouseup"&&this.doc.body.lastChild){var lc=this.doc.body.lastChild;
-while((lc.nodeType==3&&lc.nodeValue=='')||lc.id=='gtx-trans'){lc=lc.previousSibling;}if(lc.nodeType==1&&lc.nodeName!='BR'){var ns=this.doc.createElement('br');this.doc.body.appendChild(ns);range=this.doc.createRange();range.setStartAfter(ns);range.collapse(true);
-var A=this.win.getSelection();A.removeAllRanges();A.addRange(range);}}this.fireEditorEvent(e);this.syncValue();},fireEditorEvent:function(e){this.owner.fireEvent('editorevent',this,e);},insertTag:function(tg){if(tg.toLowerCase()=='span'||tg.toLowerCase()=='code'||tg.toLowerCase()=='sup'||tg.toLowerCase()=='sub'){range=this.createRange(this.getSelection());
+});}if(this.autoClean){new Roo.htmleditor.FilterWord({node:d});new Roo.htmleditor.FilterStyleToTag({node:d});new Roo.htmleditor.FilterAttributes({node:d,attrib_white:['href','src','name','align','colspan','rowspan'],attrib_clean:['href','src']});new Roo.htmleditor.FilterBlack({node:d,tag:this.black}
+);new Roo.htmleditor.FilterKeepChildren({node:d,tag:['FONT',':']});new Roo.htmleditor.FilterParagraph({node:d});new Roo.htmleditor.FilterSpan({node:d});new Roo.htmleditor.FilterLongBr({node:d});new Roo.htmleditor.FilterComment({node:d});}if(this.enableBlocks){Array.from(d.getElementsByTagName('img')).forEach(function(E){if(E.closest('figure')){return;
+}var F=new Roo.htmleditor.BlockFigure({image_src:E.src});F.updateElement(E);});}this.insertAtCursor(d.innerHTML.replace(/&nbsp;/g,' '));if(this.enableBlocks){Roo.htmleditor.Block.initAll(this.doc.body);}e.preventDefault();this.owner.fireEvent('paste',this);
+return false;},onDestroy:function(){if(this.rendered){}},onFirstFocus:function(){this.assignDocWin();this.undoManager=new Roo.lib.UndoManager(100,(this.doc.body||this.doc.documentElement));this.activated=true;if(Roo.isGecko){this.win.focus();var s=this.win.getSelection();
+if(!s.focusNode||s.focusNode.nodeType!=3){var r=s.getRangeAt(0);r.selectNodeContents((this.doc.body||this.doc.documentElement));r.collapse(true);this.deferFocus();}try{this.execCmd('useCSS',true);this.execCmd('styleWithCSS',false);}catch(e){}}this.owner.fireEvent('activate',this);
+},adjustFont:function(A){var B=A.cmd=='increasefontsize'?1:-1;var v=parseInt(this.doc.queryCommandValue('FontSize')||3,10);if(Roo.isSafari){var sm={10:1,13:2,16:3,18:4,24:5,32:6,48:7};v=(v<10)?10:v;v=(v>48)?48:v;v=typeof(sm[v])=='undefined'?1:sm[v];}v=Math.max(1,v+B);
+this.execCmd('FontSize',v);},onEditorEvent:function(e){if(e&&(e.ctrlKey||e.metaKey)&&e.keyCode===90){return;}if(e&&e.target.nodeName=='BODY'&&e.type=="mouseup"&&this.doc.body.lastChild){var lc=this.doc.body.lastChild;while((lc.nodeType==3&&lc.nodeValue=='')||lc.id=='gtx-trans'){lc=lc.previousSibling;
+}if(lc.nodeType==1&&lc.nodeName!='BR'){var ns=this.doc.createElement('br');this.doc.body.appendChild(ns);range=this.doc.createRange();range.setStartAfter(ns);range.collapse(true);var A=this.win.getSelection();A.removeAllRanges();A.addRange(range);}}this.fireEditorEvent(e);
+this.syncValue();},fireEditorEvent:function(e){this.owner.fireEvent('editorevent',this,e);},insertTag:function(tg){if(tg.toLowerCase()=='span'||tg.toLowerCase()=='code'||tg.toLowerCase()=='sup'||tg.toLowerCase()=='sub'){range=this.createRange(this.getSelection());
 var A=this.doc.createElement(tg.toLowerCase());A.appendChild(range.extractContents());range.insertNode(A);return;}this.execCmd("formatblock",tg);this.undoManager.addEvent();},insertText:function(A){var B=this.createRange();B.deleteContents();B.insertNode(this.doc.createTextNode(A));
 this.undoManager.addEvent();},relayCmd:function(A,B){switch(A){case 'justifyleft':case 'justifyright':case 'justifycenter':var n=this.getParentElement();var td=n.closest('td');if(td){var bl=Roo.htmleditor.Block.factory(td);bl.textAlign=A.replace('justify','');
 bl.updateElement();this.owner.fireEvent('editorevent',this);return;}this.execCmd('styleWithCSS',true);break;case 'bold':case 'italic':case 'underline':this.execCmd('styleWithCSS',false);break;default:break;}this.win.focus();this.execCmd(A,B);this.owner.fireEvent('editorevent',this);
-- 
2.39.2