xdan
commented
4 weeks ago Why do you think this is a vulnerability? You can also write JS in the editor. You can disable onclick attributes when editing in the clean-html plugin
Open avinashk2946 opened 1 month ago
xdan
commented
4 weeks ago Why do you think this is a vulnerability? You can also write JS in the editor. You can disable onclick attributes when editing in the clean-html plugin
Jodit Version: 3.24.2
Browser: Chrome OS: Windows Is React App: True
Description
Jodit Editor is a WYSIWYG editor written in pure TypeScript without the use of additional libraries. Jodit Editor is vulnerable to XSS attacks when pasting specially constructed input. This issue has not been fully patched. There are no known workarounds.
References https://nvd.nist.gov/vuln/detail/CVE-2022-23461 https://securitylab.github.com/advisories/GHSL-2022-030_xdan_jodit/
https://github.com/advisories/GHSA-42hx-vrxx-5r6v
Code
<div onclick="(function(){ alert('Hey i am calling'); return false; })();return false;">fdfdfjdhfshdsj</div>Output