Text pasted from clipboard is evaluated as HTML #1073
Comments
|
The problem is that we use a |
|
Is there a priority or target that you could say this issue would be resolved by? Mainly to evaluate our project's timelines for getting a fix in. |
|
We are currently looking into the issue and building a fix. |
nikku
added a commit
to bpmn-io/diagram-js-direct-editing
that referenced
this issue
Jun 12, 2019
This prevents the evaluation of arbitrary JavaScript when pasting HTML
code into the edit box such as
```javascript
<video src=1 onerror=alert('hueh')>
```
Related to bpmn-io/bpmn-js#1073
|
Upstream fix, currently in review: bpmn-io/diagram-js-direct-editing#13. |
merge-me bot
pushed a commit
to bpmn-io/diagram-js-direct-editing
that referenced
this issue
Jun 12, 2019
This prevents the evaluation of arbitrary JavaScript when pasting HTML
code into the edit box such as
```javascript
<video src=1 onerror=alert('hueh')>
```
Related to bpmn-io/bpmn-js#1073
nikku
added
in progress
bpmn-io-tasks
nikku
added a commit
that referenced
this issue
Jun 13, 2019
nikku
added a commit
that referenced
this issue
Jun 13, 2019
|
Released fix as |
|
See security notice for further details. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the Bug
Pasting HTML text anywhere that allows text input in the modeler evaluates the HTML as is, creating a potential XSS vulnerability.
Steps to Reproduce
Steps to reproduce the behavior:
<video src=1 onerror=alert('hueh')>Observe displayed alert. The issue is reproducible on the demo site.
Expected Behavior
HTML clipboard content should not be evaluated.
Environment
Please complete the following information:
The text was updated successfully, but these errors were encountered: