Closed huntr-helper closed 4 years ago
@leftstick @cyyjs @clarifysky - any updates on this?
@hinesboy this PR broke the ability to use HTML code in the editor. Now it's not possible anymore to do something like this:
<span class="success">Success</span>
Also probably this other PR already solved the issue: https://github.com/hinesboy/mavonEditor/pull/538
If this is really required please at least add some props to customize the method used and whitelist some tags/attributes.
https://github.com/Asjidkalam fixed the vulnerability associated with Cross-Site Scripting. This fix is being submitted on behalf of https://github.com/Asjidkalam - they have been awarded $25 for fixing the vulnerability through the huntr bug bounty program. Think you could fix a vulnerability like this - get involved (https://huntr.dev). Q | A Version Affected | ALL Bug Fix | YES Further References | https://github.com/418sec/mavonEditor/pull/1 Related Issue | https://github.com/hinesboy/mavonEditor/issues/472
Original Comments:
Bug fix: Sanitized the input value on the textarea of the vNoteEdit panel using the xss module, so that it escapes all the inputs resulting in an XSS.
The XSS mitigation is implemented inside the watch: { value: function (val, oldVal) }, which passes the val variable through the xss() and return the escaped output to the d_value variable.
Files changed:
package.json mavon-editor.vue
Bounty URL: https://huntr.dev/bounties/1-npm-mavon-editor