AIxBlock-2023 · ashutoshkumarsingh-dev · Aug 25, 2025
diff --git a/.github/security/229-richtext-xss.md b/.github/security/229-richtext-xss.md
@@ -0,0 +1,23 @@
+Title: general-editor RichText XSS sanitization
+
+Summary
+
+- Address XSS risk in `general-editor` RichText rendering by sanitizing untrusted HTML prior to rendering.
+- Applies sanitization before `dangerouslySetInnerHTML` and `iframe srcDoc` usage.
+
+Details
+
+- Affected area: `general-editor/src/tags/object/RichText/view.js`
+- Mitigation: Use DOMPurify to sanitize the rendered HTML string.
+- Dependency: `dompurify` declared in `general-editor/package.json`.
+
+PoC (neutralized post-fix)
+
+- `<img src=x onerror=alert('XSS')>`
+- `<svg onload=alert('XSS')>`
+
+Tracking
+
+- Related issue: #229
+
+