I think, the best soultuion is to support our sanitization config at the pasteConfig.tags configuration:

  static get pasteConfig() {
    return {
      tags: [ 'img[src]' ],  // <-- all attributes except 'src' will be stripped
    };
  }

Thank you for addressing this issue! FWIW, I'd suggest using tools focused on XSS sanitization such as dompurify.

I think, the best soultuion is to support our sanitization config at the pasteConfig.tags configuration:

  static get pasteConfig() {
    return {
      tags: [ 'img[src]' ],  // <-- all attributes except 'src' will be stripped
    };
  }

@neSpecc I tried this solution but in that case, the configuration for sanitisation is as below:

{
    "p": true,
    "h1": true,
    "h2": true,
    "h3": true,
    "h4": true,
    "h5": true,
    "h6": true,
    "img[src]": true,
    "pre": true,
    "b": {},
    "i": {},
    "a": {
        "href": true,
        "target": "_blank",
        "rel": "nofollow"
    },
    "mark": {
        "class": "cdx-marker"
    },
    "code": {
        "class": "inline-code"
    },
    "br": {}
}```
and in that case, if I paste this correct configuration.
`<img src='https://cdn.pixabay.com/photo/2015/04/23/22/00/tree-736885__480.jpg'/>`
it's not working. the sanitized data comes empty and it pastes as text.

Thank you for addressing this issue! FWIW, I'd suggest using tools focused on XSS sanitization such as dompurify.

@jorgectf We are planning to integrate the library you recommended in our next release because accordingly, we need to update every tool with the API. So, this is just a hotfix right now.

I think, the best soultuion is to support our sanitization config at the pasteConfig.tags configuration:

  static get pasteConfig() {
    return {
      tags: [ 'img[src]' ],  // <-- all attributes except 'src' will be stripped
    };
  }

@neSpecc I tried this solution but in that case, the configuration for sanitisation is as below:

{
    "p": true,
    "h1": true,
    "h2": true,
    "h3": true,
    "h4": true,
    "h5": true,
    "h6": true,
    "img[src]": true,
    "pre": true,
    "b": {},
    "i": {},
    "a": {
        "href": true,
        "target": "_blank",
        "rel": "nofollow"
    },
    "mark": {
        "class": "cdx-marker"
    },
    "code": {
        "class": "inline-code"
    },
    "br": {}
}```
and in that case, if I paste this correct configuration.
`<img src='https://cdn.pixabay.com/photo/2015/04/23/22/00/tree-736885__480.jpg'/>`
it's not working. the sanitized data comes empty and it pastes as text.

You should not create a config manually, it should be collected from tools. For example, Image tool should change img with img[src] here

I think, the best soultuion is to support our sanitization config at the pasteConfig.tags configuration:

  static get pasteConfig() {
    return {
      tags: [ 'img[src]' ],  // <-- all attributes except 'src' will be stripped
    };
  }

@neSpecc I tried this solution but in that case, the configuration for sanitisation is as below:

{
    "p": true,
    "h1": true,
    "h2": true,
    "h3": true,
    "h4": true,
    "h5": true,
    "h6": true,
    "img[src]": true,
    "pre": true,
    "b": {},
    "i": {},
    "a": {
        "href": true,
        "target": "_blank",
        "rel": "nofollow"
    },
    "mark": {
        "class": "cdx-marker"
    },
    "code": {
        "class": "inline-code"
    },
    "br": {}
}```
and in that case, if I paste this correct configuration.
`<img src='https://cdn.pixabay.com/photo/2015/04/23/22/00/tree-736885__480.jpg'/>`
it's not working. the sanitized data comes empty and it pastes as text.

You should not create a config manually, it should be collected from tools. For example, Image tool should change img with img[src] here

Yup, I have done the same things I am just doing console.log inside the Paste module as debugging. So I know it will take updated value from simple-image tool

add a changelog describing fix and API change please

The solution still does not work as expected. If a Tool does not specify the sanitizer config, all attributes should be removed. For now, it doesn't work.

I'm digging into it.

Seems ok for now. Will test it again tomorrow

hey @neSpecc, Pls check and let me know when to merge.

Sorry, the last test became a problem and I've spent some time on it. I've found the bug with our sanitizing dependency HTMLJanitor. It has a bug with Table sanitizing (guardian/html-janitor#3) so I've added a few lines to handle that case. Now all the tests work fine.