Comments (5)
I made some testing now and unfortunately Editor.js seems vulnerable:
- Just try to add a link and type
javascript:alert('test')
as the URL - The
href
is added to the page without any sanitization - Save and reload the document from JSON
- Again, the JSON is converted to HTML without any sanitization (you will see
<a href="javascript:alert('test')">
in the code)
from editor.js.
Another test:
- Add some code to the text in the saved JSON, like
"This is a paragraph <script> alert('xss') </script>"
- If you load the Editor.js with that JSON, the script is injected in the page
- However from my test the script doesn't seem to be executed, probably because the HTML is appended to the DOM (and I think that append or similar functions don't execute the scripts)
from editor.js.
Editor.js sanitizes all content in several cases: on render, on paste, and on save.
https://editorjs.io/inline-tool-sanitizing/
This sentence is strange, because it's not the behavior that I am seeing.
from editor.js.
Not sure which server-side language you use, but that shouldn't matter much. The output of EditorJS is JSON, so you convert that to whatever object representation your server-side language supports, sanitize each block, and then convert back to JSON. This should be fairly easy to do in the server side programming, and you have full control over it.
from editor.js.
you convert that to whatever object representation your server-side language supports, sanitize each block, and then convert back to JSON
I've done that properly for our application, but it's really a tedious task: you need to unwrap the JSON and parse each field. And you need to implement that for each block that you use, it's not a single function.
I guess that many applications are vulnerable and simply load the saved JSON data into Editor.js.
from editor.js.
Related Issues (20)
- I18n configuration doesn't seem to work for block tunes HOT 1
- Scrolls to the top of the page when focused on some select element
- Tunes with wrappers aren't calling didMutated, when changing tune value
- URL is not being treated as a url HOT 2
- Features playground and JSON output
- toc sidebar for navigating through long note
- Empty output if the content is only a single emoji
- keyboard backspace does not work with editor js list. the content gets removed but the numbers still persist. how to overcome this?
- Svelte 5 - 'Element is not defined' HOT 1
- Extend inline tools
- Extend inline tools HOT 1
- Clear formatting
- Adanced block tunes in sidebar HOT 1
- Not possible to reorder built-in toolbar actions HOT 3
- editor.js in vscode extension webview throw error
- Can not delete new line on quote block HOT 2
- Issue: Multiple Instances of EditorJS Created in React with Vite and TypeScript
- Feature: auto link
- Link text doesn't work when it's in bold
- Unexpected Closure of Toolbar in Nested Editor.js Editors
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from editor.js.