search

froala / wysiwyg-editor

The next generation Javascript WYSIWYG HTML Editor.
https://www.froala.com/wysiwyg-editor
Other
5.3k stars 675 forks source link

<object data="javascript:..."> XSS is not sanitized #4219

Closed flaffyyeti closed 2 years ago

flaffyyeti commented 3 years ago

When it is included in source view. It should be sanitized to prevent JavaScript execution.

On current https://froala.com/wysiwyg-editor/ page, the issue could be reproduced on Firefox browser.

Browser. Firefox 79.0

Recording froala_xss

AkshayCM commented 2 years ago

Thank you for your feedback. The request has been reported to the product management team for evaluation and consideration for an upcoming release.

skazis commented 2 years ago

Hi, what's the progress with this bug? Security audits do not like this.

@AkshayCM - what did the management team concluded?

ilyaskarim commented 2 years ago

You'll need to include the domPurify library in order to sanitize the HTML, please see: https://jsfiddle.net/shashikantu7/hu20xo4d/2/.

  • © Githubissues.
  • Githubissues is a development platform for aggregating issues.