search

jhollingworth / bootstrap-wysihtml5

Simple, beautiful wysiwyg editor
http://jhollingworth.github.com/bootstrap-wysihtml5/
MIT License
4.14k stars 1.01k forks source link

XSS in bootstrap-wysihtml5 #340

Open soaj1664 opened 10 years ago

soaj1664 commented 10 years ago

Hi,

The editor is vulnerable to an XSS. The editor allows users to insert link and if instead of normal link, I input JavaScript URI

javascript:alert%28location%29

then it works. The attacker can execute arbitrary code of his choice. Please fix this issue. Thanks!

dorgan commented 10 years ago

I would expect this to be how it works. As this is a WYSIWYG editor. If you're worried about that type of stuff extend the code for your needs or filter this server side.

On Sunday, April 13, 2014, Ashar Javed notifications@github.com wrote:

Hi,

The editor is vulnerable to an XSS. The editor allows users to insert link and if instead of normal link, I input JavaScript URI

javascript:alert%28location%29

then it works. The attacker can execute arbitrary code of his choice. Please fix this issue. Thanks!

Reply to this email directly or view it on GitHubhttps://github.com/jhollingworth/bootstrap-wysihtml5/issues/340 .