[Bug]: XSS risk for example code of experimental iframe feature #5962
Labels
Category: Open Source
The issue or pull reuqest is related to the open source packages of Tiptap.
Type: Bug
The issue or pullrequest is related to a bug
Comments
canalun
added
Category: Open Source
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Affected Packages
none
Version(s)
none
Bug Description
I'm not sure if i should report it here, but the current source code of the experimental iframe feature has XSS risks.
https://tiptap.dev/docs/examples/experiments/iframe
Although I know it's experimental, may I add some warning, or validation like one in the Link extension impl?
The current iframe code doesn't either check URL scheme or eliminate attrs other than src.
So it has XSS vulnerability especially for stored one.
(i.e., an attacker can modify the data sent to a server via local proxy and the server stores malicious data, then a victim opens it and tiptap running on victim's client constructs harmful DOM)
For example, setting
javascript:scheme to iframe on the experimental code easily leads to XSS.I know it's experimental. So i think almost no one uses the code with no modification.
However, because tiptap's Link extension has nice validation by default, it's not so surprising if someone with no care about XSS risks uses this code.
So, may I add some warning, or validation like one in the Link extension impl?
Please tell me if there is another place to discuss it.
Browser Used
Chrome
Code Example URL
No response
Expected Behavior
none
Additional Context (Optional)
No response
Dependency Updates
The text was updated successfully, but these errors were encountered: