OverviewDisplays a field that allows for users to type text and format it with a variety of style options.Output is saved as HTML. To get the raw character output, designers can use the Appian function fn!stripHtml() on the output.HTML output can be passed into Send E-Mail node or document generation smart services. Note that not all formats supported by the Rich Text Editor component may be supported by e-mail or document generation.
Allows uploading of images which get stored in the specified Appian folder (requires separate install of the Rich Text Editor Connected System Plugin).
Visit End-User Rich Text Editor Component for more information.
If you have any problems installing or using the component, please see the Rich Text Editor Component Plug-in Troubleshooting Guide
Key Features & Functionality
Supported Browsers: Chrome, Firefox, Edge, SafariSupported on Mobile
Hi Team,
We found one medium security risk vulnerability when we run the scan,
Vulnerability id-BDSA-2021-1834
can you fix this from your end.
Hello - I believe this is the same issue we discussed down below in May. Here's what I wrote below:
I searched and I think this is the CVE you're referring to: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3163
If it's not, please let me know.
That CVE talks about storing an XSS payload via an onloadstart attribute of an IMG element. That is not exploitable by the Rich Text Editor plugin. The plugin enforces an allow-list of possible HTML elements that can be used. Anything that doesn't match the allow-list will be sanitized and removed.
Also, if you follow the links to the related Issue on the Quill repository, https://github.com/quilljs/quill/issues/3364, you'll see that this is only an issue "if untrusted content is loaded". That's not the case with the Rich Text Editor. Snyk has updated to say "this was deemed not a vulnerability": security.snyk.io/.../SNYK-JS-QUILL-1245047
Long story short, this issue with the underlying Quill library isn't exploitable in the Rich Text Editor.
Quill is vulnerable to stored cross-site scripting (XSS) because it does not correctly sanitize user input before it is processed. An attacker could exploit this flaw to execute malicious JavaScript code in a victim's browser, which can result in the theft of session tokens or cookies.
Please provide more details about that vulnerability. If this is a CVE, it would be helpful if you could link to it on https://cve.mitre.org/. I tried searching for "BDSA-2021-1834" but got no results.