resend · gabrielmfern · May 27, 2026 · May 27, 2026
diff --git a/.changeset/sanitize-paste-urls-and-tags.md b/.changeset/sanitize-paste-urls-and-tags.md
diff --git a/packages/editor/CHANGELOG.md b/packages/editor/CHANGELOG.md
@@ -1,5 +1,11 @@
 # @react-email/editor
 
+## 1.5.2
+
+### Patch Changes
+
+- 0963d30: scrub `javascript:`, `vbscript:`, and non-image `data:` URLs from pasted HTML and drop `script`, `iframe`, `object`, `embed`, `meta`, and `base` elements. This pass now runs on every paste; previously, content carrying the editor's `node-*` class marker took a fast-path that skipped sanitization entirely and could be spoofed by hosting attacker HTML with the same class name. Legitimate intra-editor copy/paste still round-trips `class`, `style`, and `data-*` attributes as before.
+
 ## 1.5.1
 
 ### Patch Changes

diff --git a/packages/editor/package.json b/packages/editor/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@react-email/editor",
-  "version": "1.5.1",
+  "version": "1.5.2",
   "description": "A rich text editor for editing and building email templates",
   "sideEffects": [
     "**/*.css"