froala / wysiwyg-editor

The next generation Javascript WYSIWYG HTML Editor.
https://www.froala.com/wysiwyg-editor
Other
5.3k stars 673 forks source link

sanitizeURL is cutting off urls wherever "on" appears in the query string #4827

Open DarylBuckle opened 2 weeks ago

DarylBuckle commented 2 weeks ago

In froala-editor 4.2.2, if you insert a link with the letters "on" appearing in the query string, it will cut off the URL before the letters "on".

Had a look at the code, and looks to be done in the sanitizeUrl function, namely this regex replace;

e=e.replace(/\s*on\w+=(["'][^"']*["']|\S+)/gi,"")

Found this when using "react-froala-wysiwyg" package, but recreating using the demo on the Froala website (https://froala.com/wysiwyg-editor/demo/).

Apologies if this is a duplicate, but I couldn't find anything relating to this.

Expected behavior.

When inserting a link the URL should not be cut off where "on" appears.

Actual behavior.

When inserting a link the URL is cut off before "on".

Steps to reproduce the problem.

Example URL: https://testurl.com/?transactionAmount=123

In Froala, Insert a link.

Paste the example URL into the URL field. Insert the link.

Inspect the HTML. The link will now be "https://testurl.com/?transacti"

Editor version.

4.2.2

OS.

Windows 11

Browser.

Chrome

Recording.

https://github.com/user-attachments/assets/2180adce-39d3-4094-a121-e35ffeb8579e

frenkel commented 2 weeks ago

I'm trying to upgrade from 4.0.17 to 4.0.18 and have this exact issue. It seems the sanitizeURL function was modified in that release. Our image urls contain the word "on" so this breaks the images when you try to edit an existing image.

andravenBG commented 2 weeks ago

Hello, I had the same issue. It went on production and caused data corruption for users links.... I sent an email to the support and they said they would look into it. Meanwhile the solution that I found was to use an older version of the URL sanitizer. This was achieved by overriding the function with this code I found on another similar issue https://github.com/froala/wysiwyg-editor/issues/1235#issuecomment-251943999 Just use this version of the sanitizer (from 2016) until they fix the issue. Hope this helps

ilyaskarim commented 1 day ago

We are aware of this issue, and it is scheduled for a fix in our next editor release, V4.3.1.