react-draft-wysiwyg Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability exists in all versions of the react-draft-wysiwyg package. The issue arises when using the Embedded button, which allows users to inject a payload that is then saved within an <iframe> tag. This vulnerability can be exploited by entering a JavaScript link, such as one starting with 'javascript:', into the 'Enter link' field after clicking the Embedded button.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected JavaScript is executed in the context of the user's browser, potentially leading to session hijacking or other malicious actions.

Reproduction

To reproduce this vulnerability, create a simple React application and include the react-draft-wysiwyg editor component. Once the application is running, click on the Embedded button in the editor toolbar. Enter a JavaScript payload, such as 'javascript:alert(1)', into the 'Enter link' field and click 'Add'. The payload will be executed immediately, demonstrating the XSS vulnerability.