Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There is an XSS vulnerability at the link #3870

Closed
wahaha1573 opened this issue Feb 8, 2022 · 2 comments · Fixed by #3920
Closed

There is an XSS vulnerability at the link #3870

wahaha1573 opened this issue Feb 8, 2022 · 2 comments · Fixed by #3920
Assignees
@Gavin-yh
Labels
bug

Comments

@wahaha1573
Copy link

bug

XSS vulnerability

wangEditor version

V4.7.11

Can the official website reproduce the loopholes ?

yes

Reproduction steps

1.Use the following code to build the environment or on the official demo website(https://codepen.io/xiaokyo-the-bold/pen/ZEpWByR)

<script type="text/javascript" src="https://unpkg.com/wangeditor/dist/wangEditor.min.js"></script>
<span class="col-lg-8" id="editor"></span>
<script type="text/javascript">
  const E = window.wangEditor
  const editor = new E('#editor')
  editor.create()
</script>

2.Visit this HTML page and do the following
poyload:
"><img src=1 onerror=alert(/xss/)>
image
image
@wangfupeng1988 wangfupeng1988 mentioned this issue Feb 9, 2022
Closed
@wangfupeng1988 wangfupeng1988 linked a pull request Feb 25, 2022 that will close this issue
fix: xss #3920
Merged
@Gavin-yh
Copy link
Contributor

link xss已经修复发版,可以试试新版本。

@wangfupeng1988
Copy link
Collaborator

V5 已正式发布,v4 的 issue 将暂停处理。
该项目也是业余维护的,精力不够,还请体谅~

推荐尽快升级到 V5 版本。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Gavin-yh Gavin-yh

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: xss wangeditor-team/wangEditor
3 participants
@wangfupeng1988 @Gavin-yh @wahaha1573