Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tabnabbing vulnerability in snow theme #2438

jonathanlloyd opened this issue Dec 21, 2018 · 3 comments


None yet
2 participants
Copy link

commented Dec 21, 2018

Steps for Reproduction

  1. Visit
  2. Create a link to some url
  3. Click the link to get the link preview
  4. Inspect the link element

Expected behavior:
The link has the target attribute set to _blank but has no rel property. This means that documents containing untrusted links make the page they are embedded in susceptible to tabnabbing

It would be expected that the rel property be set to noopener (possibly also norefferer and nofollow)

Actual behavior:
No rel property is set

Include browser, operating system and respective versions

Run Quill.version to find out


This comment has been minimized.

Copy link
Contributor Author

commented Dec 21, 2018

The issue is in quill/themes/snow.js line 72-77:

SnowTooltip.TEMPLATE = [
  '<a class="ql-preview" target="_blank" href="about:blank"></a>',
  '<input type="text" data-formula="e=mc^2" data-link="" data-video="Embed URL">',
  '<a class="ql-action"></a>',
  '<a class="ql-remove"></a>',

This comment has been minimized.

Copy link

commented Jul 4, 2019

Hey @jhchen !
I just stumbled over this vulnerability while auditing our app.
The fix is merged but there doesn't seem to have been a deployment since then.

Do you have any timeline to release a bugfix version soon? Or could you create a new patch tag 1.3.7 at the mitigating commit (aceaf9f) and release a patch update?

As it is right now, this issue probably shouldn't be closed because it still requires action by the maintainer before the vulnerability is actually fixed for users.


This comment has been minimized.

Copy link

commented Jul 6, 2019

I found that Jonathans fix does not completely protect quill users from tabnabbing.
I have added PR #2674 to add the rel="noopener noreferrer" attribute to anchor tags created by formats/link.js

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.