react-draft-wysiwyg icon indicating copy to clipboard operation
react-draft-wysiwyg copied to clipboard
verified publisher icon jpuri

Image urlEnabled can be XSS

Open StevenYuysy opened this issue 7 years ago • 3 comments

Step to reproduce

  1. open https://jpuri.github.io/react-draft-wysiwyg/#/demo
  2. input "><script src="a.js">sd</script> and click add

image

StevenYuysy avatar Oct 19 '18 03:10 StevenYuysy

@StevenYuysy The library is developed and well known for its simplicity and I loved implementing it in my community blogging project. It used draft-to-html library to convert raw content to HTML content (referring to the HTML mentioned in your comment), but I, personally, won't suggest showing the received content directly to the DOM as there may be many vulnerabilities. And rather you can try sanitizing the HTML content using some library like dompurify which worked great in my case and also it's amazingly fast.

It removed the script part from the mentioned HTML and made it safe to insert in DOM.

Hope this helps someone who's finding the solution of XSS prevention for this library.

swr7der avatar Oct 01 '20 21:10 swr7der

Although we can sanitize the returned HTML with a library like dompurify, this is certainly an unintended behavior (e.g., if the image link contains a double quote, the HTML will be broken).

The culprit is actually the draftjs-to-html library. As we can see here, it just uses string interpolation to put the src. There is no filter/escape. This bug should be fixed.

farisv avatar Apr 14 '21 15:04 farisv

Has this been resolved by now ? ...

NikicaCh avatar Oct 07 '24 13:10 NikicaCh