Is there some way to sanitize the input for the HTMLEditor component? The editor has an XSS vulnerability.
If you enter: <img src="" onerror="alert(1)"> in the source view for the editor, it executes when I switch back.
Hi @markus,
We would recommend to disable the view source tool by specifying a custom set of tools. Additionaly you can also sanitize the HTML however you want via third party libraries such as HtmlSanitizer
<RadzenHtmlEditor @bind-Value="@Html" />
@code {
private string html;
public string Html
{
get => html;
set => html = Sanitize(value);
}
}
UPDATE: Unfortunately this won't work the first time as the value will be sanitized after setting innerHTML. We will release an update which should address that - sanitization happening inside the setter should occur before updating the HTML editor content.
1 Like