jodit is vulnerable to Cross-Site Scripting (XSS)
54
Medium Risk
The HTML sanitizer in jodit checks an element's href for executable schemes with a bare case-sensitive comparison that does not strip control bytes, tabs, or newlines, unlike the normalization applied to every other URL attribute. An attacker can store a javascript: link obfuscated with uppercase letters, a leading control byte, or an embedded tab or newline so it survives sanitization and persists in the stored editor value. When another user clicks the link in any view that renders that stored content, the attacker-controlled script executes in the page's origin. The fix routes href through the same isDangerousUrl normalization that strips control characters and lowercases the value before matching the scheme.
You are affected if you are using a version that falls within the vulnerable range and your application renders stored editor content where a user can click an attacker-supplied link.
jodit is vulnerable to Cross-Site Scripting (XSS) in versions 1.0.1 - 4.12.30.
Upgrade the jodit library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant