search

hifarer / vueditor

A wysiwyg editor written in Vue.js and Vuex.js
http://hifarer.github.io/vueditor/
MIT License
645 stars 112 forks source link

XSS :( #62

Open SakiiR opened 4 years ago

SakiiR commented 4 years ago

The editor is vulnerable to "self xss".

Consider filtering using DOMPurify or anything.

Reproduce:

Enter the following code in the "HTML editor feature":

<img src=x onerror=alert(1)>