Security - Cross site scripting in html editor

Poc:
1. Click on the code </> icon
2. Insert into the textarea the following payload `<img src="#" onerror=alert(2)>`
3. Press again on the </> icon to see the preview 
4. An alert that prints 2 appears.
To solve the issue it may be useful to pre-parse the html tags which allows javascript execution and then render them sanitized.

![Image](https://github.com/user-attachments/assets/09aa9d06-b414-49ae-989e-1f2ac698a174)

![Image](https://github.com/user-attachments/assets/870cf85c-787f-4abc-a16a-88cb78397ffe)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security - Cross site scripting in html editor #580

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Security - Cross site scripting in html editor #580

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions