1.0.1
Chrome Version 64.0.3282.167
The Viewer does not initialize the HtmlSanitizer. Only the editor does call convertor.initHtmlSanitizer() in its constructor.
This is true for new Viewer as well as for
TuiEditor.factory({
el,
viewer: true
})
Code to reproduce:
var Viewer = require('tui-editor/dist/tui-editor-Viewer');
var viewer = new Viewer({
el: document.querySelector('#viewerSection'),
initialValue: '<script>alert('xss')</script>'
});
Call convertor.initHtmlSanitizer() in Viewer constructor.
Nice catch @sean-nicholas
why don't you give me a pull request for this? you already have done almost everything.
just add an option like https://github.com/nhnent/tui.editor/blob/7127869676471f2023563adaaef4c527271adf7b/src/js/editor.js#L124
to viewer constructor too.
Your wish is my command 😉: #90
Ahh, there's something else. Should we report this at https://nodesecurity.io/report?
It might helps some people who use nsp
I just released 1.0.4 shipping your patch.
And please go ahead report it. Just specify the affected version right.
It'll help ppl to update to 1.0.4 and resolve this issue.
You did really great @sean-nicholas 🎉
Thank you again!
Thank you ☺️
And thank you for your quick release. I just installed 1.0.4 in my project and could remove the workaround 🎉
I reported it to nsp. I think they will get in touch with you soon.
Thanks & have a great day ☺️