Skip to content

Fix: Security - XSS vulnerability in formula and video HTML export#4771

Closed
tapas100 wants to merge 2 commits intoslab:mainfrom
tapas100:main
Closed

Fix: Security - XSS vulnerability in formula and video HTML export#4771
tapas100 wants to merge 2 commits intoslab:mainfrom
tapas100:main

Conversation

@tapas100
Copy link

@tapas100 tapas100 commented Jan 20, 2026
edited
Loading

Security Fix: XSS Vulnerability in HTML Export

Summary

Fixed CVE-2025-15056: A Cross-Site Scripting (XSS) vulnerability in the getSemanticHTML() method caused by lack of data validation in the HTML export feature. This allowed arbitrary JavaScript execution through malicious formula and video embeds.

Vulnerability Details

CVE: CVE-2025-15056
GHSA: GHSA-v3m3-f69x-jf25
Affected versions: ≤ 2.0.3
Patched versions: None (this PR provides the fix)
Severity: Low
CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation)

npm audit output:
quill ≤2.0.3 Quill is vulnerable to XSS via HTML export feature fix available via npm audit fix

Attack Vector

The vulnerability existed in two blot types that failed to escape user-controlled content:

  1. Formula blots (src/formats/formula.ts):

    • Formula values were rendered directly into HTML without escaping
    • Malicious LaTeX-like syntax could inject HTML/JavaScript

  2. Video blots (src/formats/video.ts):

    • Video URLs were embedded without escaping in both href attributes and text content
    • Malicious URLs could break out of attributes to inject scripts

Example exploit:

quill.insertEmbed(0, 'formula', '<script>alert(document.cookie)</script>');
const html = quill.getSemanticHTML(); // Contained unescaped script tag

Fix Implementation
Formula blots (src/formats/formula.ts): Now escape all HTML special characters in formula values before rendering
Video blots (src/formats/video.ts): Now escape video URLs in both href attributes and text content
Uses existing escapeText() utility to escape: &, <, >, ", '
Testing
Added 14 comprehensive security tests (8 for formula, 6 for video)
All 535 existing tests pass - no breaking changes
Verified prevention of:
HTML tag injection
Attribute injection
Quote breaking
Event handler injection
Backwards Compatibility
✅ Fully backwards compatible

No API changes
Delta format unchanged
Only affects HTML output (now properly escaped)
Changelog
Updated CHANGELOG.md for v2.0.4 security release

Note to maintainers: This should be treated as a security release. Consider:

Assigning a CVE
Publishing a security advisory
Backporting to previous major versions if applicable

Tapas Mahanta added 2 commits January 20, 2026 12:02
security: fix XSS vulnerability in formula and video HTML export
55a6f2d 
- Escape user-controlled values in formula html() output
- Escape video URLs in html() output
- Add comprehensive XSS prevention tests
- Update CHANGELOG for v2.0.4

Fixes critical XSS vulnerability where malicious formulas or video URLs
could execute JavaScript when exported HTML is rendered. All special HTML
characters (<, >, &, ", ') are now properly escaped in embed output.

This addresses a vulnerability in Quill 2.0.0-2.0.3 where the html()
methods in Formula and Video blots directly interpolated user-controlled
values into HTML strings without escaping.

Attack example:
  quill.insertEmbed(0, 'formula', '</span><img src=x onerror=alert(1)>');
  quill.getSemanticHTML(); // Would output unescaped HTML

Impact: Applications using getSemanticHTML() to export and render content
were vulnerable to XSS attacks through malicious embed values.

Fix: Added escaping using existing escapeText() utility from blots/text.ts

BREAKING: None - this is a security fix with no functional changes.
Output HTML format changes only for inputs containing special characters,
which now correctly escape to valid HTML entities.
test: fix XSS prevention test assertions
4e63bd1 
- Add KaTeX mock for formula tests to prevent initialization errors
- Improve test assertions to check for actual exploit patterns
- Fix formula test: check for '<img' tag presence instead of 'onerror='
- Fix video test: check for '" onclick="' pattern instead of 'onclick='

All 14 XSS prevention tests now pass (8 formula + 6 video).
All 535 unit tests pass with no regressions.
@tapas100 tapas100 changed the title security: Fix XSS vulnerability in formula and video HTML export Fix : Security - XSS vulnerability in formula and video HTML export Jan 20, 2026
@tapas100 tapas100 changed the title Fix : Security - XSS vulnerability in formula and video HTML export Fix: Security - XSS vulnerability in formula and video HTML export Jan 20, 2026
RaedAbr
RaedAbr reviewed Jan 20, 2026
View reviewed changes
Copy link

@RaedAbr RaedAbr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good for me

@imolinuevo imolinuevo mentioned this pull request Jan 22, 2026
Open
@larsvaehrens larsvaehrens mentioned this pull request Jan 23, 2026
Closed
@tapas100 tapas100 closed this by deleting the head repository Jan 26, 2026
@tapas100 tapas100 mentioned this pull request Jan 26, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@RaedAbr RaedAbr RaedAbr left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tapas100 @RaedAbr