@toast-ui/editor@2.4.0 vulnerabilities

GFM Markdown Wysiwyg Editor - Productive and Extensible

latest version

3.2.2
latest non vulnerable version

3.2.2
first published

4 years ago
latest version published

a year ago
licenses detected
- MIT
  >=0
View @toast-ui/editor package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the @toast-ui/editor package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) @toast-ui/editor is a GFM Markdown Wysiwyg Editor. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Base tags are not sanitized which can be leveraged for XSS. How to fix Cross-site Scripting (XSS)? Upgrade `@toast-ui/editor` to version 3.0.2 or higher.	<3.0.2
M Cross-site Scripting (XSS) @toast-ui/editor is a GFM Markdown Wysiwyg Editor. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). User input is not properly sanitized before being included in the HTML context, specifically the `href` attribute of anchor tags. Steps to Reproduce 1. Visit the following URL: https://nhn.github.io/tui.editor/latest/tutorial-example01-editor-basic 2. Input in the left pane the following string by making sure the character after the 'j' and before the 'a' is a TAB (0x09) and not a sequence of spaces (0x20): `<a href='j avascript:alert(document.domain)'>click me</a>` 3. Click on the "click me" text in the right page 4. Notice the JavaScript code `alert(document.domain)` is executed The injected JavaScript code should be executed. How to fix Cross-site Scripting (XSS)? Upgrade `@toast-ui/editor` to version 3.0.2 or higher.	<3.0.2

Cross-site Scripting (XSS)

@toast-ui/editor is a GFM Markdown Wysiwyg Editor.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Base tags are not sanitized which can be leveraged for XSS.

How to fix Cross-site Scripting (XSS)?

Upgrade @toast-ui/editor to version 3.0.2 or higher.

<3.0.2

Cross-site Scripting (XSS)

@toast-ui/editor is a GFM Markdown Wysiwyg Editor.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). User input is not properly sanitized before being included in the HTML context, specifically the href attribute of anchor tags.

Steps to Reproduce

1. Visit the following URL: https://nhn.github.io/tui.editor/latest/tutorial-example01-editor-basic
2. Input in the left pane the following string by making sure the character after the 'j' and before the 'a' is a TAB (0x09) and not a sequence of spaces (0x20): `<a href='j avascript:alert(document.domain)'>click me</a>`
3. Click on the "click me" text in the right page
4. Notice the JavaScript code `alert(document.domain)` is executed

The injected JavaScript code should be executed.

How to fix Cross-site Scripting (XSS)?

Upgrade @toast-ui/editor to version 3.0.2 or higher.

<3.0.2

Go back to all versions of this package

@toast-ui/editor@2.4.0 vulnerabilities

GFM Markdown Wysiwyg Editor - Productive and Extensible

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Steps to Reproduce