github udecode/plate @udecode/plate-core@38.0.6

latest releases: @udecode/plate@40.0.4, @udecode/plate-markdown@40.0.4, @udecode/plate-ai@40.0.4...
one month ago

Patch Changes

  • d30471cb19577e53c20944ab66eab2a7ef3b3ad2 by @12joan – Mitigate XSS in element.attributes by requiring all attribute names to be allowlisted in the node.dangerouslyAllowAttributes plugin configuration option.

    Migration:

    For each plugin that needs to support passing DOM attributes using element.attributes, add the list of allowed attributes to the node.dangerouslyAllowAttributes option of the plugin.

    const ImagePlugin = createPlatePlugin({
      key: 'image',
      node: {
        isElement: true,
        isVoid: true,
        dangerouslyAllowAttributes: ['alt'],
      },
    });

    To modify existing plugins, use the extend method as follows:

    const MyImagePlugin = ImagePlugin.extend({
      node: {
        dangerouslyAllowAttributes: ['alt'],
      },
    });

    WARNING: Improper use of dangerouslyAllowAttributes WILL make your application vulnerable to cross-site scripting (XSS) or information exposure attacks. Ensure you carefully research the security implications of any attribute before adding it. For example, the src and href attributes will allow attackers to execute arbitrary code, and the style and background attributes will allow attackers to leak users' IP addresses.

Don't miss a new plate release

NewReleases is sending notifications on new releases.