Patch Changes
-
d30471cb19577e53c20944ab66eab2a7ef3b3ad2
by @12joan – Mitigate XSS inelement.attributes
by requiring all attribute names to be allowlisted in thenode.dangerouslyAllowAttributes
plugin configuration option.Migration:
For each plugin that needs to support passing DOM attributes using
element.attributes
, add the list of allowed attributes to thenode.dangerouslyAllowAttributes
option of the plugin.const ImagePlugin = createPlatePlugin({ key: 'image', node: { isElement: true, isVoid: true, dangerouslyAllowAttributes: ['alt'], }, });
To modify existing plugins, use the
extend
method as follows:const MyImagePlugin = ImagePlugin.extend({ node: { dangerouslyAllowAttributes: ['alt'], }, });
WARNING: Improper use of
dangerouslyAllowAttributes
WILL make your application vulnerable to cross-site scripting (XSS) or information exposure attacks. Ensure you carefully research the security implications of any attribute before adding it. For example, thesrc
andhref
attributes will allow attackers to execute arbitrary code, and thestyle
andbackground
attributes will allow attackers to leak users' IP addresses.