mavonEditor - Cross-Site Scripting - Fix:

[huntr-helper]

https://github.com/Asjidkalam fixed the vulnerability associated with Cross-Site Scripting.
This fix is being submitted on behalf of https://github.com/Asjidkalam - they have been awarded $25 for fixing the vulnerability through the huntr bug bounty program.
Think you could fix a vulnerability like this - get involved (https://huntr.dev).
Q | A
Version Affected | ALL
Bug Fix | YES
Further References | 418sec#1
Related Issue | #472

Original Comments:

Bug fix:
Sanitized the input value on the textarea of the vNoteEdit panel using the xss module, so that it escapes all the inputs resulting in an XSS.

The XSS mitigation is implemented inside the watch: { value: function (val, oldVal) }, which passes the val variable through the xss() and return the escaped output to the d_value variable.

Files changed:

package.json
mavon-editor.vue

Bounty URL: https://huntr.dev/bounties/1-npm-mavon-editor

[JamieSlome]

@leftstick @cyyjs @clarifysky - any updates on this?

[asgarth]

@hinesboy this PR broke the ability to use HTML code in the editor. Now it's not possible anymore to do something like this:

<span class="success">Success</span>

Also probably this other PR already solved the issue: #538

If this is really required please at least add some props to customize the method used and whitelist some tags/attributes.