Rich Text Editor Component

Have you deployed the Appian Connected System - Rich Text Editor plugin and properly configured a connected system for that plugin, which you pass to the rich text editor SAIL component?

Good morning,
using this plug-in we encounter the following error: when we upload the image, it is saved, but it is not displayed correctly. How can we solve it?

This is done intentionally by the underlying library that is used, and is done to prevent a phishing vulnerability: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/

We aren't going to be able to make an update to remove this attribute.  I'd suggest just enhancing your logic to account for that string.  When you are doing the extraction in Appian, you can probably just remove that substring from the full richTextValue variable and pretend it doesn't exist for the purposes of your logic.

richTextField

What component are you using? richTextField or richTextFieldWithTables ?

Hello,

Recently, we have noticed that hyperlinks created within the rich text editor component have been getting an additional string attached in the HTML code. The additional string added is 'rel="noopener noreferrer"'. Is this behavior expected? The additional string is causing some issues in interfaces where we extract the HTML links from the component value and display them separately.

Any information is appreciated!

Thanks for the update!

I searched and I think this is the CVE you're referring to: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3163

If it's not, please let me know.

That CVE talks about storing an XSS payload via an onloadstart attribute of an IMG element.  That is not exploitable by the Rich Text Editor plugin.  The plugin enforces an allow-list of possible HTML elements that can be used.  Anything that doesn't match the allow-list will be sanitized and removed. 

Also, if you follow the links to the related Issue on the Quill repository, https://github.com/quilljs/quill/issues/3364, you'll see that this is only an issue "if untrusted content is loaded".  That's not the case with the Rich Text Editor.  Snyk has updated to say "this was deemed not a vulnerability": security.snyk.io/.../SNYK-JS-QUILL-1245047

Long story short, this issue with the underlying Quill library isn't exploitable in the Rich Text Editor. 

Hi,

We are facing the vulnerability issues while scanning this plugin. Please find the issues below and kindly help to check.

Quill Rich Text Editor:
Quill is vulnerable to stored cross-site scripting (XSS) because it does not correctly sanitize user input before it is processed. An attacker could exploit this flaw to execute malicious JavaScript code in a victim's browser, which can result in the theft of session tokens or cookies.  **Note**: the vendor disputes this issue, asserting that potentially dangerous content should be sanitized before being passed and loaded into the Quill editor.

Thanks in advance!

It works with the signed version!

2022-05-18 08:02:43,519 [Appian Plugin Hot Deploy] INFO  com.appiancorp.plugins.osgi.LoggingPluginFactoryDecorator - Plug-in Artifact 'rich-text-editor-1.8.2_signed.zip' SHA256 hash is 2bdf4ad04447ef77fb99342afc7a615ee5a1b29d93c478b320f39b67338863f0
2022-05-18 08:02:43,779 [Appian Plugin Hot Deploy] INFO  com.appiancorp.plugins.component.ComponentPluginFactory - Component plug-in package rich-text-editor-1.8.2_signed.zip loaded in 259ms
2022-05-18 08:02:43,852 [Appian Plugin Hot Deploy] INFO  com.appiancorp.plugins.LoggingPluginEventListener - Successfully installed Component Plug-in 'Rich Text' (com.appian.richtext)