Quill Lack of Data Validation Vulnerability in HTML Export Feature Allowing Cross-Site Scripting

A vulnerability allowing Cross-Site Scripting (XSS) has been identified in Quill version 2.0.3. This issue arises from a lack of data validation in the HTML export feature, where user-controlled values are interpolated into HTML strings without proper escaping. When the exported HTML is rendered, an attacker can inject arbitrary attributes or markup, potentially leading to script execution in the victim's browser. This vulnerability affects common workflows that involve exporting HTML, storing it, and then rendering it, as the embedded values are not sanitized or escaped, allowing for the injection of malicious content.

Impact

Exploitation of this vulnerability allows for Cross-Site Scripting (XSS) attacks, where an attacker can inject and execute scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create a Quill editor instance and embed a formula or video link that includes unescaped HTML, such as an image tag with an 'onerror' event. After posting the comment, the injected script will execute when the HTML is rendered.