Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
XSS Vulnerability
See original GitHub issueThe ngModel.$isEmpty function bypass the native froala security cleaning method, by executing the content of value with the JQuery function.
In my case, I just reuse the froala native html.clean method to fix it.
Like this:
ngModel.$isEmpty = function (value) {
if (!value) {
return true;
}
value = element.froalaEditor('clean.html', value, [], [], false);
var isEmpty = element.froalaEditor('node.isEmpty', jQuery('<div>' + value + '</div>').get(0));
return isEmpty;
};
Example of XSS injection concerned:
Script URI scheme XSS test<img src="javascript:alert('XSS')">
Issue Analytics
- State:
- Created 6 years ago
- Comments:10 (3 by maintainers)
Top Results From Across the Web
Cross Site Scripting (XSS) - OWASP Foundation
An XSS vulnerability allowing an attacker to modify a press release or news item could affect a company's stock price or lessen consumer...
Read more >Cross-site scripting (XSS) - Web Security Academy
Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with...
Read more >Cross-site scripting - Wikipedia
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject ......
Read more >What is Cross-site Scripting and How Can You Fix it? - Acunetix
A web page or web application is vulnerable to XSS if it uses unsanitized user input in the output that it generates. This...
Read more >What is Cross-Site Scripting? XSS Cheat Sheet - Veracode
In short, XSS vulnerabilities occur when input coming into web applications is not validated and/or output to the browser is not properly escaped...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@stefanneculai, I follow your advancement but I haven’t seen any change for the XSS Vulnerabilities.
I’m pretty concerned by this issue, as froala is deploy on all my customers. Security is one of my main priority. And you still have a huge vulnerability for ALL XSS attacks.
The fix I propose and present on my PR is in production for 4 month on every of my customer.
Can you reply to me with any info or update ?
@kp-thibaut please make a PR: https://help.github.com/articles/creating-a-pull-request-from-a-fork/.