Skip to content

bugfix added sanitization html preview to text.#587

Merged
kolkov merged 2 commits into
kolkov:mainfrom
MarioTesoro:bugfix/cross-site
Dec 17, 2025
Merged

bugfix added sanitization html preview to text.#587
kolkov merged 2 commits into
kolkov:mainfrom
MarioTesoro:bugfix/cross-site

Conversation

@MarioTesoro

@MarioTesoro MarioTesoro commented Dec 14, 2025

Copy link
Copy Markdown
Contributor

Hi @kolkov and contributors,

I've opened this PR to fix #580, the issue was in toggleEditorMode method.
According to the existing logic I made the sanitization optional only if the sanitizer is enabled.
I made also some tests and the xss is not triggered anymore. Anyway it may happen for some tags that are target of the sanitizer, returned as empty so the user will not have back the same html but I guess it's ok (it's how the sanitizer implemented into the project work).

Finally I would like to ask you if a CVE can be requested for the xss.

Thanks!

@MarioTesoro MarioTesoro requested a review from kolkov as a code owner December 14, 2025 15:40
@kolkov

kolkov commented Dec 15, 2025

Copy link
Copy Markdown
Owner

Hi @MarioTesoro, thank you for finding the real vulnerability!

You're absolutely right - the XSS was happening in toggleEditorMode(), not refreshView(). When switching from HTML source mode back to WYSIWYG, the user-entered HTML was being set via innerHTML without sanitization.

Great catch!

I have a couple of suggestions to improve the fix:

  1. Second code path - Line 360 also needs sanitization (the oContent.toString() fallback when querySelectorAll is not available).

  2. Code style consistency - Our existing pattern uses "this.config.sanitize !== false" instead of "this.config.sanitize || this.config.sanitize === undefined"

Would you like to update the PR with these changes, or would you prefer I merge this and add those fixes myself?

Regarding the CVE request - yes, this is a valid XSS vulnerability that should have a CVE. Once we merge and release v3.0.4, I'll file for a CVE with MITRE.

Thanks again for your persistence in tracking this down!

@kolkov kolkov mentioned this pull request Dec 15, 2025
Closed
@MarioTesoro

MarioTesoro commented Dec 17, 2025

Copy link
Copy Markdown
Contributor Author

Hi @kolkov,

sorry for delay. I've updated the PR with your suggestions in commit b0729c0.
Let me know if it looks ok.

Thanks!

@kolkov kolkov merged commit 1b6ee67 into kolkov:main Dec 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kolkov kolkov Awaiting requested review from kolkov kolkov is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security - Cross site scripting in html editor

2 participants

@MarioTesoro @kolkov