Skip to content

easymde: enable native/browser spell checker #12377

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 16, 2025
Merged

easymde: enable native/browser spell checker #12377

merged 1 commit into from
May 16, 2025

Conversation

@valentijnscholten
Copy link
Member

@valentijnscholten valentijnscholten commented May 4, 2025
edited
Loading

Fixes #12363

To make native spell checking work with EasyMDE text fields, we need to DISABLE spell checking on the field.
This was already done, but we also need to change the inputStyle to contenteditable.
This wasn't clear to a lot of people including me: Ionaru/easy-markdown-editor#617, for which I raised Ionaru/easy-markdown-editor#619

The change to contenteditable doesn't seem to have a noticable effect, I can still create/edit findings and other objects. Just to be safe I added it to 2.47.0 and not the first upcoming bugfix release.

@github-actions github-actions bot added the ui label May 4, 2025
@valentijnscholten valentijnscholten added this to the 2.47.0 milestone May 4, 2025
@valentijnscholten valentijnscholten force-pushed the easy-mde-native-spell-check branch from 7d57a6a to ad5090d Compare May 4, 2025 14:29
@valentijnscholten valentijnscholten changed the base branch from bugfix to dev May 4, 2025 14:29
@valentijnscholten valentijnscholten marked this pull request as ready for review May 4, 2025 14:53
@dryrunsecurity
Copy link

dryrunsecurity bot commented May 4, 2025

DryRun Security

This pull request introduces a potential Cross-Site Scripting (XSS) vulnerability in the EasyMDE markdown editor when using the 'inputStyle: contenteditable' configuration, which could allow malicious script injection if input is not properly sanitized.

💭 Unconfirmed Findings (1)
Vulnerability Potential Cross-Site Scripting (XSS) Risk with Contenteditable Input
Description The new EasyMDE markdown editor configuration option 'inputStyle: contenteditable' introduces potential XSS vulnerabilities. Contenteditable elements allow rich text input that might include script tags or malicious HTML, increasing the attack surface for potential HTML/script injection if not properly escaped and sanitized.

All finding details can be found in the DryRun Security Dashboard.

@valentijnscholten valentijnscholten changed the title easymde: enable native spell checker easymde: enable native/browser spell checker May 5, 2025
mtesauro
mtesauro approved these changes May 15, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@Maffooch Maffooch requested review from dogboat and hblankenship May 16, 2025 15:02
@valentijnscholten valentijnscholten merged commit 156f46d into DefectDojo:dev May 16, 2025
79 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@Maffooch Maffooch Maffooch approved these changes

+1 more reviewer

@hblankenship hblankenship hblankenship approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

ui

Projects

None yet

Milestone

2.47.0

Development

Successfully merging this pull request may close these issues.

5 participants

@valentijnscholten @mtesauro @dogboat @hblankenship @Maffooch