Editor.js: [Bug] Pasted blocks are not sanitized, It may occurs XSS attack!

Created on 24 Oct 2020  路  3Comments  路  Source: codex-team/editor.js

Describe a bug.
Pasted blocks are not sanitized, It may occurs XSS attack!

Steps to reproduce:

  1. Copy blocks includes <b onclick="alert('XSS test')">Click me!</b>
  2. Paste blocks.
  3. Click it.

Please see the following GIF animation.

Expected behavior:
Pasted blocks should be sanitized.

Screenshots:
ezgif com-gif-maker (7)

Editor.js version: v2.19.0

bug ready for implementation

Most helpful comment

Actually, it will be sanitised on saving, so this is not a real vulnerability. But we will think about it.

All 3 comments

馃憢 @gohabereg @neSpecc did you have a chance to follow up on this issue?
We (at snyk) would like to add it to our vulnerability db if it is valid.

Actually, it will be sanitised on saving, so this is not a real vulnerability. But we will think about it.

@neSpecc Thank you! I'll fix it and send PR.

Was this page helpful?
0 / 5 - 0 ratings