OverviewStarting in 24.2, the Styled Text Editor Component is available directly in the product. Consider using this in place of the plug-in moving forward. For more information, review: https://docs.appian.com/suite/help/latest/Styled_Text_Editor_Component.html
Visit https://community.appian.com/w/the-appian-playbook/1378/end-user-rich-text-editor-component for more information. If you have any problems installing or using the component, please see the https://community.appian.com/w/the-appian-playbook/1603/rich-text-editor-component-plug-in-troubleshooting-guide
Key Features & Functionality
Supported Browsers: Chrome, Firefox, Edge, SafariSupported on Mobile
I searched and I think this is the CVE you're referring to: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3163
If it's not, please let me know.
That CVE talks about storing an XSS payload via an onloadstart attribute of an IMG element. That is not exploitable by the Rich Text Editor plugin. The plugin enforces an allow-list of possible HTML elements that can be used. Anything that doesn't match the allow-list will be sanitized and removed.
Also, if you follow the links to the related Issue on the Quill repository, https://github.com/quilljs/quill/issues/3364, you'll see that this is only an issue "if untrusted content is loaded". That's not the case with the Rich Text Editor. Snyk has updated to say "this was deemed not a vulnerability": security.snyk.io/.../SNYK-JS-QUILL-1245047
Long story short, this issue with the underlying Quill library isn't exploitable in the Rich Text Editor.
Hi,
We are facing the vulnerability issues while scanning this plugin. Please find the issues below and kindly help to check. Quill Rich Text Editor:Quill is vulnerable to stored cross-site scripting (XSS) because it does not correctly sanitize user input before it is processed. An attacker could exploit this flaw to execute malicious JavaScript code in a victim's browser, which can result in the theft of session tokens or cookies. **Note**: the vendor disputes this issue, asserting that potentially dangerous content should be sanitized before being passed and loaded into the Quill editor.
Thanks in advance!
It works with the signed version!
2022-05-18 08:02:43,519 [Appian Plugin Hot Deploy] INFO com.appiancorp.plugins.osgi.LoggingPluginFactoryDecorator - Plug-in Artifact 'rich-text-editor-1.8.2_signed.zip' SHA256 hash is 2bdf4ad04447ef77fb99342afc7a615ee5a1b29d93c478b320f39b67338863f02022-05-18 08:02:43,779 [Appian Plugin Hot Deploy] INFO com.appiancorp.plugins.component.ComponentPluginFactory - Component plug-in package rich-text-editor-1.8.2_signed.zip loaded in 259ms2022-05-18 08:02:43,852 [Appian Plugin Hot Deploy] INFO com.appiancorp.plugins.LoggingPluginEventListener - Successfully installed Component Plug-in 'Rich Text' (com.appian.richtext)
Thank you Jed!
The AppMarket team has uploaded the Download link to provide the correct, signed version of the plugin. Please download the latest version and try again. The filename should be rich-text-editor-1.8.2_signed.zip
Hi Sergio Valle - apologies for the confusion. There was an issue with the download file. We have updated the file and rich-text-editor-1.8.2_signed.zip is available for download.
I'll escalate this to the App Market approvers group and see if they can help.
I have tried to downoad/install it again in our on-premise environment and the result is the same :
2022-05-16 09:07:40,128 [Appian Plugin Hot Deploy] INFO com.appiancorp.plugins.osgi.LoggingPluginFactoryDecorator - Plug-in Artifact 'rich-text-editor-1.8.2.zip' SHA256 hash is 34a81125cf62e3276cc32caf1de624baef6eaa832144f760807f679c2737a2cc2022-05-16 09:07:40,216 [Appian Plugin Hot Deploy] ERROR com.appiancorp.plugins.LoggingPluginEventListener - Failed to load Plug-in 'com.appian.richtext' (com.appian.richtext) version 0.0: 'Component plug-in approval verification failed. Please contact Appian for approval process'
I downloaded the 1.8.2 version from this site. In the log file it says "Plug-in Artifact 'rich-text-editor-1.8.2.zip"