The react-draft-wysiwyg library is not filtering the javascript: prefix in the Link Target. XSS can be triggered when someone clicks the malicious link on the draft. This vulnerability can be exploited in a scenario where the draft is shared among different users (such as in a blog/content dashboard).
@farisv@jpuri Could this safe URL check be made at earlier stage? Why it is even allowed to create a link with XSS code? My suggestion would be to show an error message beside the link target input field when a user is trying to add javascript:.. code into it. And also Add button could be disabled until the URL is safe.
Or if you think it's not an good idea, I'd love to hear your arguments. :)
The
react-draft-wysiwyglibrary is not filtering thejavascript:prefix in the Link Target. XSS can be triggered when someone clicks the malicious link on the draft. This vulnerability can be exploited in a scenario where the draft is shared among different users (such as in a blog/content dashboard).Steps to reproduce
javascript:alert(document.domain)as Link Target.jpuri.github.io.Expectation
If the link starts with
javascript:, don't open it. You can try another rich text editor such as https://ckeditor.com/ckeditor-5/demo/ for reference.The XSS itself is triggered because of this line (
window.open(url, 'blank')). Theurlshould be validated before it reaches that line.The text was updated successfully, but these errors were encountered: