Skip to content

v1.3.7
Compare
Choose a tag to compare
@SimeonC SimeonC released this 13 Feb 03:32
· 463 commits to master since this release
v1.3.7
be0334b

See Changelog for details.

Security Patch - Update Strongly Recommended

This patch closes an XSS attack vector that could allow the someone to execute un-sanitized javascript on the page via the editor.

Vulnerability Detail:

There is a XSS vulnerability in the textAngular-sanitize.js code that allows onerror and onload events to be triggered for elements. Any events that would be executed during construction of the element are beinig executed these include onerror and onload.

Vulnerable Code:

<img src="http://bla" onerror=alert(1)>
<img src="https://www.google.com/images/srpr/logo11w.png" onload=alert(1)>
Assets 2
Loading