Rich Text Editor Component

1. The plugin uses deprecated functionality however there are no plans to address it since there is no workaround. There is no actual risk as that functionality will not be removed. We will see if we can suppress it from the health check so it's no longer incorrectly flagged as a risk.

2. There is a separate plugin function that supports tables in that plugin, see here for more details: community.appian.com/.../end-user-rich-text-editor-component

Hi Team,

Can you please help me out on below queries.

1.  In the Appian Health check it is flagged as medium risk item. Please find more details. Are we going to update plugin code OR IF we use the plugin now, Is there any risk involved?.

Example:  "Appian Connected System - Rich Text Editor (com.appian.richtext.csp) references deprecated Appian APIs [deprecated] com.appiancorp.suiteapi.common.ServiceLocator.getContentService(com.appiancorp.services.ServiceContext)" .

2. Is there any plans for support the tabular format in future releases?.

Thanks!!

This is a limitation of the component plug-in framework.  We added a note in the docs community.appian.com/.../end-user-rich-text-editor-component that says: The required field shows or hides the asterisk indicating if the component is required but does not enforce requiredness. To enforce requiredness, use the parameter "validations". To enforce requiredness only upon submission, use section or form-level validations.

I am unable to get the required field to stop a form from submitting. Is there possibly something wrong with this plugin? Looking to see if anyone else has had this problem before.

Hello - I believe this is the same issue we discussed down below in May.  Here's what I wrote below:

I searched and I think this is the CVE you're referring to: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3163

If it's not, please let me know.

That CVE talks about storing an XSS payload via an onloadstart attribute of an IMG element.  That is not exploitable by the Rich Text Editor plugin.  The plugin enforces an allow-list of possible HTML elements that can be used.  Anything that doesn't match the allow-list will be sanitized and removed. 

Also, if you follow the links to the related Issue on the Quill repository, https://github.com/quilljs/quill/issues/3364, you'll see that this is only an issue "if untrusted content is loaded".  That's not the case with the Rich Text Editor.  Snyk has updated to say "this was deemed not a vulnerability": security.snyk.io/.../SNYK-JS-QUILL-1245047

Long story short, this issue with the underlying Quill library isn't exploitable in the Rich Text Editor. 

Quill is vulnerable to stored cross-site scripting (XSS) because it does not correctly sanitize user input before it is processed. An attacker could exploit this flaw to execute malicious JavaScript code in a victim's browser, which can result in the theft of session tokens or cookies.  

Please provide more details about that vulnerability.  If this is a CVE, it would be helpful if you could link to it on https://cve.mitre.org/.  I tried searching for "BDSA-2021-1834" but got no results.

Hi Team,

We found one medium security risk vulnerability when we run the scan,

Vulnerability id-BDSA-2021-1834

can you fix this from your end.

Hi Marco - are you able to take a screenshot of the Network tab of the developer console and send that?

Hello - please refer to the Troubleshooting Guide and follow the steps outlined there.  Hopefully that'll help you resolve your issue: community.appian.com/.../rich-text-editor-component-plug-in-troubleshooting-guide