Plugin vulnerable to XSS Vulnerability

[emckerrow1]

Describe the problem

When adding a payload to the edit HTML code editor after clicking the 'Show HTML code' button; the payload will execute (see screenshot).

What did you expect?

Validation to be applied that allows only expected tags and attributes.

What version and browser are you using?

Version: v1.1.0
Browser and version: Brave 1.64.116 Chromium: 123.0.6312.105 (Official Build) (64-bit)

Reproducible test case

• Create environment with default settings (tested on a textarea field)
• Click 'Show HTML code' button
• Append payload to text editor. Payload example: <script>console.log(document.cookie)</script>

[webfashionist]

Hi @emckerrow1

Thank you for your notice.
However, I do see a problem in cases where a script tag should be added to include widgets or other embeds.

Simply disallowing the script tag does not seem to be the solution.

Do you have a specific fix in mind?

[emckerrow1]

Hi @webfashionist

Apologies, I have not had a chance to look for a more specific fix, directly for the plugin.

The best solution is to use sanitization, where appropriate. However, if this is not possible, it is worth documenting this issue, ensuring the developer using the plugin, mitigates any potential malicious payloads and tailors script execution for their needs. I suggest they use a library like DOMPurify for user input sanitization and apply a CSP (Content Security Policy).

Sorry I cannot be more helpful at this time. I will let you know if I come up with an exact solution.