fix(security): apply sanitization in refreshView() to prevent XSS (#580)

kolkov · kolkov · commit 774a97d0b30e · 2025-11-22T22:42:44.000+03:00
SECURITY FIX: XSS vulnerability when setting editor value via writeValue() The refreshView() method was setting innerHTML without sanitization, allowing XSS payloads to execute even with sanitize: true config. This affected all programmatic value setting: - ngModel binding - FormControl setValue/patchValue - Direct property assignment Now applies DomSanitizer in refreshView() based on config.sanitize flag. Fix verified with PoC from @MarioTesoro. Fixes #580
diff --git a/projects/angular-editor/src/lib/editor/angular-editor.component.ts b/projects/angular-editor/src/lib/editor/angular-editor.component.ts
@@ -275,7 +275,11 @@ export class AngularEditorComponent implements OnInit, ControlValueAccessor, Aft
    */
   refreshView(value: string): void {
     const normalizedValue = value === null ? '' : value;
-    this.r.setProperty(this.textArea.nativeElement, 'innerHTML', normalizedValue);
+    // Apply sanitization to prevent XSS when setting innerHTML
+    const sanitizedValue = this.config.sanitize !== false
+      ? this.sanitizer.sanitize(SecurityContext.HTML, normalizedValue)
+      : normalizedValue;
+    this.r.setProperty(this.textArea.nativeElement, 'innerHTML', sanitizedValue);
 
     return;
   }
