@milkdown/components is vulnerable to Cross-Site Scripting (XSS)
54
Medium Risk
The link-tooltip preview renders the stored link href into a real clickable anchor that lives outside the contenteditable area, and the edit tooltip's DOMPurify.sanitize(href) call only sanitizes HTML markup rather than bare URL strings, so a javascript: scheme passes through unchanged. A stored unsafe-scheme link therefore becomes a directly clickable script sink in the tooltip UI. The fix applies the sanitizeLinkHref scheme allowlist to the preview anchor and replaces the ineffective sanitizer in the edit tooltip, adding rel="noopener noreferrer". The original URL is still displayed as inert text.
You are affected if you are using a version that falls within the vulnerable range, integrate the link-tooltip component, and display or edit links whose href values can come from untrusted content.
@milkdown/components is vulnerable to Cross-Site Scripting (XSS) in versions 7.4.0 - 7.21.2.
Upgrade the @milkdown/components library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant