XSS fix - Remove onload handler from svg element

[d3v53c]

📊 Metadata *

tui.editor is vulnerable to Cross-Site Scripting (XSS).

Bounty URL: https://www.huntr.dev/bounties/1-other-tui.editor/

⚙️ Description *

TOAST UI Editor provides Markdown mode and WYSIWYG mode. Depending on the type of use you want like production of Markdown or maybe to just edit the Markdown. The TOAST UI Editor can be helpful for both the usage. It offers Markdown mode and WYSIWYG mode, which can be switched any point in time.

💻 Technical Description *

Fixed XSS by sanitizing user inputs before updating DOM elements, in this an edge case was arisen due to an onload event handler not properly sanitized/removed while updating the DOM elements in the editor.

🐛 Proof of Concept (PoC) *

1. Open https://nhn.github.io/tui.editor/latest/tutorial-example01-editor-basic
2. Insert the xss payload in editor Ex: <svg> <svg><svg onload=alert(111)> <svg>
3. XSS payload will get executed.

🔥 Proof of Fix (PoF) *

// index.html

// script.js

const editor = new toastui.Editor({
  el: document.querySelector('#editor')
});

output:

👍 User Acceptance Testing (UAT)

After the fix, functionality is unaffected.

🔗 Relates to...

418sec/huntr#1911

[huntr-helper]

👋 Hello, @shiren - @d3v53c has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above.

Ultimately, you get to decide if the fix is 👍 or 👎. If you are happy with the fix, please write a new comment (@huntr-helper - LGTM) and we will open a PR to your repository with the fix. All remaining PRs for this vulnerability will be automatically closed.

If you have any questions or need support, come and join us on our community Discord!

@shiren & @d3v53c - thank you for your efforts in securing the world’s open source code! 🎉