Cleditor is vulnerable to Self Cross-site scripting attacks.

[Anatoli Iliev]

Hi there,

I have been using your cleditor component for a long time and I am very happy with it.

However, recently we found that it is vulnerable to Self Cross-site scripting attacks.

In order to reproduce such an issue you can:

1. Open your Live Demo site (https://premiumsoftware.net/cleditor/)

2. Click "Show Source" button

3. Paste the following text: <img src=x onerror=alert(42)>

4. Click the "Show Rich Text" button

Result: An alert is being shown

Concern: This makes the use of the component vulnerable to any kind of social self cross-site scripting attacks. Even in case that the input text is being sanitized on as part of a web server processing, the component (and the application which use it) is still vulnerable to this kind of attacks.

Do you have any plans to fix this issue?

Regards,

Anatoli

 

[Nelson Buck]

Have there been any attempts to fix this issue yet.? I did what was said about and I received a pop-up alert box that said 42.