Closed akhil-reni closed 5 months ago
You're an absolute star for raising this @akhil-reni. I have included this change in the following commit. This should hopefully be included in the main release tomorrow. Thanks!
This has now been released in version 1.4.7
. Thankyou!
Vulnerable code
Description
A potential security vulnerability exists in the
PasteUtils
class, specifically in thesanitizePastedTextContent
method. The current implementation usesdocument.execCommand('insertHTML', false, text)
, which can allow JavaScript injection through pasted content.Steps to Reproduce
PasteUtils.sanitizePastedTextContent
is used.Expected Behavior
Pasted text should be sanitized to prevent any potential JavaScript execution.
Actual Behavior
JavaScript can be executed through the
execCommand('insertHTML', ...)
method, leading to potential security risks.Suggested Fix
Replace
document.execCommand('insertHTML', false, text)
withdocument.execCommand('insertText', false, text)
. This change will insert the text as plain text, mitigating the risk of JavaScript execution.Additional Information