Low severityNVD Advisory· Published Jun 15, 2020· Updated Aug 4, 2024

XSS in Dijit Editor's LinkDialog plugin

CVE-2020-4051

Description

Dijit Editor's LinkDialog plugin contains a cross-site scripting (XSS) vulnerability due to insufficient input sanitization of link descriptions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Dijit Editor's LinkDialog plugin contains a cross-site scripting (XSS) vulnerability due to insufficient input sanitization of link descriptions.

Vulnerability

Overview

The Dijit Editor's LinkDialog plugin is vulnerable to cross-site scripting (XSS) due to insufficient sanitization of user-supplied link descriptions. The vulnerable code existed in multiple versions of the library, including those before 1.11.11, and versions 1.12.0 through 1.12.8, 1.13.0 through 1.13.7, 1.14.0 through 1.14.6, 1.15.0 through 1.15.3, and 1.16.0 through 1.16.2 [1][3].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious link description containing HTML or JavaScript. When the Editor's LinkDialog processes this input without proper filtering, the injected code can be executed in the context of the victim's browser. The attack requires the user to interact with the editor (e.g., creating or editing a link) and can be triggered without authentication if the editor is publicly accessible [2].

Impact

Successful exploitation could allow an attacker to execute arbitrary JavaScript, steal sensitive data, or perform actions on behalf of the victim. This vulnerability is classified as a stored XSS attack, meaning the malicious payload persists and affects other users who view the crafted link [1][3].

Mitigation

The vulnerability has been patched in Dijit versions 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, and 1.16.3 [2][3]. Users should upgrade to one of these patched versions. A workaround is to manually apply the filtering logic introduced in the fix, which includes setting allowUnsafeHtml to false (default) and configuring a linkFilter to escape HTML characters [2].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
dijitnpm	< 1.11.11	1.11.11
dijitnpm	>= 1.12.0, < 1.12.9	1.12.9
dijitnpm	>= 1.13.0, < 1.13.8	1.13.8
dijitnpm	>= 1.14.0, < 1.14.7	1.14.7
dijitnpm	>= 1.15.0, < 1.15.4	1.15.4
dijitnpm	>= 1.16.0, < 1.16.3	1.16.3

Affected products

ghsa-coords
pkg:npm/dijit
Range: < 1.11.11
Dojo/dijitv5
Range: < 1.11.11

Patches

462bdcd60d03

Merge pull request from GHSA-cxjc-r2fp-7mq6

https://github.com/dojo/dijitMangala Sadhu Sangeet Singh KhalsaJun 13, 2020via ghsa

commit

2 files changed · +56 −3

_editor/plugins/LinkDialog.js+36 −3 modified

@@ -1,5 +1,6 @@
 define([
 	"require",
+	"dojo/_base/array",
 	"dojo/_base/declare", // declare
 	"dojo/dom-attr", // domAttr.get
 	"dojo/keys", // keys.ENTER
@@ -11,7 +12,7 @@ define([
 	"../_Plugin",
 	"../../form/DropDownButton",
 	"../range"
-], function(require, declare, domAttr, keys, lang, on, has, query, string,
+], function(require, array, declare, domAttr, keys, lang, on, has, query, string,
 	_Plugin, DropDownButton, rangeapi){
 
 	// module:
@@ -26,6 +27,21 @@ define([
 		//
 		//		- createLink
 
+		// allowUnsafeHtml: boolean
+		//		If false (default), the link description will be filtered to prevent HTML content.
+		//		If true no filtering is done, allowing for HTML content within the link element.
+		//		The filter can be specified with the 'linkFilter' option.
+		allowUnsafeHtml: false,
+
+		// linkFilter: function or array of replacement pairs
+		//		If 'allowUnsafeHtml' is false then this filter will be applied to the link Description value.
+		//		function: the function will be invoked with the string value of the Description field and its
+		//			return value will be used
+		//		array: each array item should be an array of two values to pass to String#replace
+		linkFilter: [
+			[/</g, "&lt;"]
+		],
+
 		// Override _Plugin.buttonClass.   This plugin is controlled by a DropDownButton
 		// (which triggers a TooltipDialog).
 		buttonClass: DropDownButton,
@@ -252,6 +268,16 @@ define([
 			if(args && args.urlInput){
 				args.urlInput = args.urlInput.replace(/"/g, "&quot;");
 			}
+			if(!this.allowUnsafeHtml && args && args.textInput){
+				if(typeof this.linkFilter === 'function'){
+					args.textInput = this.linkFilter(args.textInput);
+				}
+				else{
+					array.forEach(this.linkFilter, function (currentFilter) {
+						args.textInput = args.textInput.replace(currentFilter[0], currentFilter[1]);
+					});
+				}
+			}
 			return args;
 		},
 
@@ -629,8 +655,15 @@ define([
 	});
 
 	// Register these plugins
-	_Plugin.registry["createLink"] = function(){
-		return new LinkDialog({command: "createLink"});
+	_Plugin.registry["createLink"] = function(args){
+		var pluginOptions = {
+			command: "createLink",
+			allowUnsafeHtml: ("allowUnsafeHtml" in args) ? args.allowUnsafeHtml : false
+		};
+		if("linkFilter" in args){
+			pluginOptions.linkFilter = args.linkFilter;
+		}
+		return new LinkDialog(pluginOptions);
 	};
 	_Plugin.registry["insertImage"] = function(){
 		return new ImgLinkDialog({command: "insertImage"});

tests/editor/test_LinkDialog.html+20 −0 modified

@@ -7,6 +7,10 @@
 	<script type="text/javascript" src="../boilerplate.js"></script>
 
 	<script type="text/javascript">
+		function filterLink () {
+			return 'Filtered Value';
+		}
+
 		require([
 			"dojo/parser",
 			"dijit/Editor",
@@ -36,6 +40,22 @@
 		</div>
 	</div>
 
+	<p>Editor with <code>allowUnsafeHtml</code> set to <code>true</code></p>
+	<div style="border: 1px dotted black;">
+		<div id="editorUnsafe" data-dojo-type="dijit/Editor" data-dojo-props='"aria-label":"editor",extraPlugins:[{name: "createLink", allowUnsafeHtml: true}, "insertImage", "viewSource"]'>
+			<p>This editor will allow unrestricted HTML in the Description field of links</p>
+			<br>
+		</div>
+	</div>
+
+	<p>Editor with custom <code>linkFilter</code> function</p>
+	<div style="border: 1px dotted black;">
+		<div id="editorLinkFilter" data-dojo-type="dijit/Editor" data-dojo-props='"aria-label":"editor",extraPlugins:[{name: "createLink", linkFilter: filterLink}, "insertImage", "viewSource"]'>
+			<p>Links created in this editor will always have a description of "Filtered Value", which is the value returned by the custom <code>linkFilter</code> function.</p>
+			<br>
+		</div>
+	</div>
+
 	<p>RTL Editor:</p>
 	<div style="border: 1px dotted black;">
 		<div id="reditor" data-dojo-type="dijit/Editor" dir="rtl" data-dojo-props='"aria-label":"reditor",extraPlugins:["createLink", "insertImage"]'>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-cxjc-r2fp-7mq6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-4051ghsaADVISORY
github.com/dojo/dijit/commit/462bdcd60d0333315fe69ab4709c894d78f61301ghsaWEB
github.com/dojo/dijit/security/advisories/GHSA-cxjc-r2fp-7mq6ghsaWEB
lists.debian.org/debian-lts-announce/2023/01/msg00030.htmlghsamailing-listWEB
security.netapp.com/advisory/ntap-20201023-0003ghsaWEB
www.oracle.com/security-alerts/cpuoct2020.htmlghsaWEB
security.netapp.com/advisory/ntap-20201023-0003/mitre

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000