search

froala / angular-froala

Angular.js bindings for Froala WYSIWYG HTML Rich Text Editor.
https://froala.com/wysiwyg-editor
MIT License
306 stars 123 forks source link

XSS vulnerability #173

Closed kp-thibaut closed 1 year ago

kp-thibaut commented 6 years ago

The ngModel.$isEmpty function bypass the native froala security cleaning method, by executing the content of value with the JQuery function.

In my case, I just reuse the froala native html.clean method to fix it.

Like this:

ngModel.$isEmpty = function (value) {
    if (!value) {
        return true;
    }

    value = element.froalaEditor('clean.html', value, [], [], false);

    var isEmpty = element.froalaEditor('node.isEmpty', jQuery('<div>' + value + '</div>').get(0));
    return isEmpty;
};

Example of XSS injection concerned: Script URI scheme XSS test<img src="javascript:alert('XSS')">

BTW, I have fixed some lint issues to and all your tests are down due to new JQuery version (3.3.1) by the froala dependencies.

AS the change is not invasive, I push it without testing it via grunt. I've made some tests by my side.

benjifin commented 5 years ago

@shashankaccolite @stefanneculai hey do you have any comments on this issue? I work for Snyk, and this seems to be a disclosed and demonstrated security issue, and we would therefore like to add this to our DB - but wondered if you guys had any more context to give before we do that? Thanks!

kp-thibaut commented 1 year ago

Closed due to lack of consideration since 5 years. Framework is now deprecated.