VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 2, 2018· Updated Sep 16, 2024

CVE-2018-6561

CVE-2018-6561

Description

Dojo Toolkit 1.13's dijit.Editor allows XSS via the onload attribute of an SVG element, enabling arbitrary script execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Dojo Toolkit 1.13's dijit.Editor allows XSS via the onload attribute of an SVG element, enabling arbitrary script execution.

Vulnerability

The dijit.Editor widget in Dojo Toolkit version 1.13 does not sanitize event handler attributes in SVG elements when editing content in source mode. An attacker can inject a crafted SVG element with an onload attribute that executes arbitrary JavaScript when the editor content is viewed. This is a stored XSS vulnerability that affects users who open or view editor content containing the malicious SVG. [1][3]

Exploitation

An attacker needs the ability to edit the content of a dijit.Editor, either directly or through a compromised account. The attacker inserts an SVG element such as ` in the source edit mode. When the content is rendered in the editor or previewed, the onload` event fires and executes the JavaScript payload. No special network position or user interaction beyond viewing the editor content is required. [3]

Impact

Successful exploitation allows arbitrary JavaScript execution in the context of the user's browser session. This can lead to theft of sensitive information (e.g., cookies, session tokens), defacement, or further attacks against the application and its users. The attack achieves cross-site scripting (XSS) with the same origin and privileges of the authenticated user. [1][3]

Mitigation

The fix was applied in commit [2] which introduces a stripEventHandlers option in the viewSource plugin, defaulting to true. Upgrading to a version containing this commit (post-1.13) or applying the patch manually mitigates the issue. Users can also avoid using source edit mode or sanitize editor content server-side. No explicit fixed version number is provided, but the repository indicates ongoing maintenance. [2][4]

References
  1. NVD - CVE-2018-6561
  2. Update Editor to remove event handler attributes from tags in the edi… · dojo/dijit@d22d6cc
  3. 404team/dijit_editor_xss.md at master · imsebao/404team
  4. GitHub - dojo/dijit: Dojo 1 - UI library

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
dijitnpm
< 1.13.11.13.1

Affected products

1

Patches

1
d22d6cc3458c

Update Editor to remove event handler attributes from tags in the editor's contents. (#146)

https://github.com/dojo/dijitEd HagerApr 27, 2018via ghsa
commit
3 files changed · +69 1
  • _editor/plugins/ViewSource.js+27 1 modified
    @@ -45,6 +45,12 @@ define([
 		//		Defaults to true.
 		stripIFrames: true,
 
+		// stripEventHandlers: [public] Boolean
+		//		Boolean flag used to indicate if event handler attributes like onload should be
+		//		stripped from the document.
+		//		Defaults to true.
+		stripEventHandlers: true,
+
 		// readOnly: [const] Boolean
 		//		Boolean flag used to indicate if the source view should be readonly or not.
 		//		Cannot be changed after initialization of the plugin.
@@ -477,6 +483,22 @@ define([
 			return html;
 		},
 
+		_stripEventHandlers: function (html) {
+			if(html){
+				// Find all tags that contain an event handler attribute (an on* attribute).
+				var matches = html.match(/<[a-z]+?\b(.*?on.*?(['"]).*?\2.*?)+>/gim);
+				if(matches){
+					for(var i = 0, l = matches.length; i < l; i++){
+						// For each tag, remove only the event handler attributes.
+						var match = matches[i];
+						var replacement = match.replace(/\s+on[a-z]*\s*=\s*(['"])(.*?)\1/igm, "");
+						html = html.replace(match, replacement);
+					}
+				}
+			}
+			return html;
+		},
+
 		_filter: function(html){
 			// summary:
 			//		Internal function to perform some filtering on the HTML.
@@ -494,6 +516,9 @@ define([
 				if(this.stripIFrames){
 					html = this._stripIFrames(html);
 				}
+				if(this.stripEventHandlers){
+					html = this._stripEventHandlers(html);
+				}
 			}
 			return html;
 		},
@@ -543,7 +568,8 @@ define([
 			readOnly: ("readOnly" in args) ? args.readOnly : false,
 			stripComments: ("stripComments" in args) ? args.stripComments : true,
 			stripScripts: ("stripScripts" in args) ? args.stripScripts : true,
-			stripIFrames: ("stripIFrames" in args) ? args.stripIFrames : true
+			stripIFrames: ("stripIFrames" in args) ? args.stripIFrames : true,
+			stripEventHandlers: ("stripEventHandlers" in args) ? args.stripEventHandlers : true
 		});
 	};
  • tests/editor/bug.png+0 0 added
  • tests/editor/test_ViewSource.html+42 0 modified
    @@ -105,6 +105,48 @@ <h2>Things to test:</h2>
 	</div>
 	<br>
 	<br>
+	<div>
+		<div id="editor4" data-dojo-type="dijit/Editor"
+			 data-dojo-props='"aria-label":"editor3",extraPlugins:["fullScreen", "viewSource"],
+			style:"background-color: white; width: 800px;", height:"300px" '>
+			<h1>ViewSource Plugin with stripEventHandlers enabled</h1>
+			<img ondrag="alert('Bug dragged!')" src="./bug.png" onclick="alert('Bug clicked!');">
+			<button
+					onclick="alert('Button clicked!')"
+					id="button1"
+					ondblclick="alert('Button double clicked!')">
+				onclick button
+			</button>
+			<button name="button" id="button2">Just a button</button>
+			<h2>Things to test:</h2>
+			<ol>
+				<li>Click the view source button and verify that all on* attributes have been removed.</li>
+			</ol>
+		</div>
+	</div>
+	<br>
+	<br>
+	<div>
+		<div id="editor5" data-dojo-type="dijit/Editor"
+			 data-dojo-props='"aria-label":"editor3",extraPlugins:["fullScreen", {name: "viewSource", stripEventHandlers: false}],
+			style:"background-color: white; width: 800px;", height:"300px" '>
+			<h1>ViewSource Plugin with stripEventHandlers disabled</h1>
+			<img ondrag="alert('Bug dragged!')" src="./bug.png" onclick="alert('Bug clicked!');">
+			<button
+					onclick="alert('Button clicked!')"
+					id="button3"
+					ondblclick="alert('Button double clicked!')">
+				onclick button
+			</button>
+			<button name="button" id="button4">Just a button</button>
+			<h2>Things to test:</h2>
+			<ol>
+				<li>Click the view source button and verify that all on* attributes have NOT been removed.</li>
+			</ol>
+		</div>
+	</div>
+	<br>
+	<br>
 	<div>Content after the editors.</div>
 </body>
 </html>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.