XSS in bootstrap-wysihtml5

Question

XSS in bootstrap-wysihtml5

soaj1664 opened this issue 11 years ago · 1 comments

Hi,

The editor is vulnerable to an XSS. The editor allows users to insert link and if instead of normal link, I input JavaScript URI

javascript:alert%28location%29

then it works. The attacker can execute arbitrary code of his choice. Please fix this issue. Thanks!

Answer 1 · 2014-04-13T15:36:07.000Z

I would expect this to be how it works. As this is a WYSIWYG editor. If
you're worried about that type of stuff extend the code for your needs or
filter this server side.

On Sunday, April 13, 2014, Ashar Javed notifications@github.com wrote:

Hi,

The editor is vulnerable to an XSS. The editor allows users to insert link
and if instead of normal link, I input JavaScript URI

javascript:alert%28location%29

then it works. The attacker can execute arbitrary code of his choice.
Please fix this issue. Thanks!

Reply to this email directly or view it on GitHubhttps://github.com//issues/340
.