[Medium][general-editor] XSS via RichText rendering (dangerouslySetInnerHTML/srcDoc)

[ashutoshkumarsingh-dev]

Vulnerability
RichText renders untrusted HTML using dangerouslySetInnerHTML and iframe srcDoc without sanitization.

Affected file:

• general-editor/src/tags/object/RichText/view.js

Impact
Stored/reflected XSS in annotation content can execute arbitrary JS in another users browser (token theft, actions as victim).

Steps to Reproduce

1. Render a value containing one of:
   <img src=x onerror=alert('XSS')>
   or
   <svg onload=alert('XSS')>
2. The alert fires on render.

PoC
Any payload above in item._value triggers execution on render.

Expected vs Actual
Expected: HTML sanitized; no script execution.
Actual: Script executes.

Working Patch
Public gist (single-commit patch): https://gist.github.com/ashutoshkumarsingh-dev/49880549b5786b43e39e4954a59d74d5
Apply with:

�ash git am -3 < fix-general-editor-xss-sanitize.patch

Files in patch:

• general-editor/src/tags/object/RichText/view.js: sanitize value with DOMPurify; use sanitizedVal for dangerouslySetInnerHTML and iframe srcDoc
• general-editor/package.json: add dompurify dependency

CVSS v3.1
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N = 6.1 (Medium)

Notes
I can submit a PR as well; I couldnt fork the public repo due to access. The patch is complete and ready to apply.

[tqphu27]

Security Assessment - XSS Vulnerability Report

Hi @ashutoshkumarsingh-dev,

Thank you for your submission regarding the potential Cross-Site Scripting (XSS) vulnerability in the RichText component.

Submission Requirements Verification

Before conducting technical assessment, we must verify compliance with our bug bounty program requirements.

** CRITICAL: Submission Requirements Not Met**

Our bug bounty program clearly states that all submissions must:

1. Star the repository
2. Fork the repository
3. Submit a valid Pull Request

Current Status:

• Repository not starred - Required for program participation
• Repository not forked - Mandatory submission step
• No Pull Request submitted - Essential for code review process

Program Policy

As stated in our submission guidelines:

"Please make sure you star the repository, fork it, and submit a valid Pull Request — submissions that don't meet these requirements may be considered invalid."

Submission Decision

Status: INVALID - Requirements Not Met
Reward: $0
Reason: Failure to complete mandatory submission steps

[ashutoshkumarsingh-dev]

Re-submitted from correct account @ashutoshkumarsingh-dev. PR: #234 This replaces the earlier PR opened from a different account.

[ashutoshkumarsingh-dev]

@tqphu27 I have completed all the required submission steps:\n\n Starred the repository\n Forked the repository to @ashutoshkumarsingh-dev\n Submitted a valid Pull Request: #234 All program requirements have been met. The PR addresses the XSS vulnerability in RichText rendering by implementing DOMPurify sanitization.