bugfix added sanitization html preview to text.

[MarioTesoro]

Hi @kolkov and contributors,

I've opened this PR to fix #580, the issue was in toggleEditorMode method.
According to the existing logic I made the sanitization optional only if the sanitizer is enabled.
I made also some tests and the xss is not triggered anymore. Anyway it may happen for some tags that are target of the sanitizer, returned as empty so the user will not have back the same html but I guess it's ok (it's how the sanitizer implemented into the project work).

Finally I would like to ask you if a CVE can be requested for the xss.

Thanks!

[kolkov]

Hi @MarioTesoro, thank you for finding the real vulnerability!

You're absolutely right - the XSS was happening in toggleEditorMode(), not refreshView(). When switching from HTML source mode back to WYSIWYG, the user-entered HTML was being set via innerHTML without sanitization.

Great catch!

I have a couple of suggestions to improve the fix:

1. Second code path - Line 360 also needs sanitization (the oContent.toString() fallback when querySelectorAll is not available).

2. Code style consistency - Our existing pattern uses "this.config.sanitize !== false" instead of "this.config.sanitize || this.config.sanitize === undefined"

Would you like to update the PR with these changes, or would you prefer I merge this and add those fixes myself?

Regarding the CVE request - yes, this is a valid XSS vulnerability that should have a CVE. Once we merge and release v3.0.4, I'll file for a CVE with MITRE.

Thanks again for your persistence in tracking this down!

[MarioTesoro]

Hi @kolkov,

sorry for delay. I've updated the PR with your suggestions in commit b0729c0.
Let me know if it looks ok.

Thanks!