XSS Vulnerability
See original GitHub issueThe ngModel.$isEmpty
function bypass the native froala security cleaning method, by executing the content of value with the JQuery
function.
In my case, I just reuse the froala native html.clean method to fix it.
Like this:
ngModel.$isEmpty = function (value) {
if (!value) {
return true;
}
value = element.froalaEditor('clean.html', value, [], [], false);
var isEmpty = element.froalaEditor('node.isEmpty', jQuery('<div>' + value + '</div>').get(0));
return isEmpty;
};
Example of XSS injection concerned:
Script URI scheme XSS test<img src="javascript:alert('XSS')">
Issue Analytics
- State:
- Created 6 years ago
- Comments:10 (3 by maintainers)
Top Results From Across the Web
Cross Site Scripting (XSS) - OWASP Foundation
An XSS vulnerability allowing an attacker to modify a press release or news item could affect a company's stock price or lessen consumer...
Read more >Cross-site scripting (XSS) - Web Security Academy
Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with...
Read more >Cross-site scripting - Wikipedia
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject ......
Read more >What is Cross-site Scripting and How Can You Fix it? - Acunetix
A web page or web application is vulnerable to XSS if it uses unsanitized user input in the output that it generates. This...
Read more >What is Cross-Site Scripting? XSS Cheat Sheet - Veracode
In short, XSS vulnerabilities occur when input coming into web applications is not validated and/or output to the browser is not properly escaped...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@stefanneculai, I follow your advancement but I haven’t seen any change for the XSS Vulnerabilities.
I’m pretty concerned by this issue, as froala is deploy on all my customers. Security is one of my main priority. And you still have a huge vulnerability for ALL XSS attacks.
The fix I propose and present on my PR is in production for 4 month on every of my customer.
Can you reply to me with any info or update ?
@kp-thibaut please make a PR: https://help.github.com/articles/creating-a-pull-request-from-a-fork/.