Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(extension-link): prevent parsing javascript: pseudo-protocol #2646

Merged
merged 1 commit into from
Apr 12, 2022

Conversation

phenax
Copy link
Contributor

@phenax phenax commented Mar 24, 2022

Currently editors using the link extension are vulnerable to XSS using insertContent and insertContentAt. It allows attackers to run arbitrary javascript code on a victims machine when they click a given link.

editor.commands.insertContent('<a href="javascript:alert(1)" target="_self" rel="">Malicious link</a>')

This issue can be avoided by not parsing javascript: pseudo-protocol.

@netlify
Copy link

netlify bot commented Mar 24, 2022

Deploy Preview for tiptap-embed ready!

Name Link
🔨 Latest commit 947f311
🔍 Latest deploy log https://app.netlify.com/sites/tiptap-embed/deploys/623c5c65cd0e47000907a9f7
😎 Deploy Preview https://deploy-preview-2646--tiptap-embed.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@bdbch
Copy link
Member

bdbch commented Apr 9, 2022

Thanks for that critical fix @phenax

@bdbch bdbch self-assigned this Apr 9, 2022
@bdbch bdbch self-requested a review April 9, 2022 15:24
@bdbch bdbch merged commit 4108e9f into ueberdosis:main Apr 12, 2022
@phenax phenax deleted the patch-1 branch April 12, 2022 15:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants