Open collimarco opened 9 months ago
I made some testing now and unfortunately Editor.js seems vulnerable:
javascript:alert('test')
as the URLhref
is added to the page without any sanitization<a href="javascript:alert('test')">
in the code)Another test:
"This is a paragraph <script> alert('xss') </script>"
Editor.js sanitizes all content in several cases: on render, on paste, and on save. https://editorjs.io/inline-tool-sanitizing/
This sentence is strange, because it's not the behavior that I am seeing.
Not sure which server-side language you use, but that shouldn't matter much. The output of EditorJS is JSON, so you convert that to whatever object representation your server-side language supports, sanitize each block, and then convert back to JSON. This should be fairly easy to do in the server side programming, and you have full control over it.
you convert that to whatever object representation your server-side language supports, sanitize each block, and then convert back to JSON
I've done that properly for our application, but it's really a tedious task: you need to unwrap the JSON and parse each field. And you need to implement that for each block that you use, it's not a single function.
I guess that many applications are vulnerable and simply load the saved JSON data into Editor.js.
Suppose that you have multiple users that collaborate on the same document.
For example:
This is a paragraph with [a link](javascript:alert('XSS!'))
Does Editor.js sanitize the HTML tags and links when it loads them from existing JSON data?
Ideally Editor.js should perform the following sanitizations:
<b>
,<i>
,<a>
)<a>
(e.g.https:
, but notjavascript:
)