textAngular text editor vulnerable to Cross-site Scripting

An attacker crafts a malicious HTML payload containing an event handler, such as `<img src="foo" onload="alert(1)" onerror="alert(2)"/>`, and tricks a victim into copying it (e.g., via a "Copy as HTML" mechanism on a third-party site) [ref_id=2]. The victim then pastes the payload into a textAngular editor instance. Because textAngular does not neutralize the event handler attributes during the paste operation, the browser executes the attacker's JavaScript when the pasted content is rendered [CWE-79]. The attack requires user interaction (the victim must copy and paste the payload) [ref_id=2].

The advisory does not specify exact functions or files within textAngular that are at fault. The vulnerability exists in textAngular version 1.5.16 and prior [ref_id=2]. The editor fails to sanitize or neutralize HTML content that is pasted from the clipboard, allowing event handler attributes (e.g., `onload`, `onerror`) to persist in the editor's output [ref_id=2].

The advisory states that "there are no known patches" for this vulnerability [ref_id=1]. No fix has been published by the maintainers. The recommended remediation would be to sanitize pasted HTML content to strip or neutralize event handler attributes (such as `onload`, `onerror`, `onclick`, etc.) before inserting it into the editor's DOM, preventing the execution of attacker-controlled scripts [CWE-79].

1. Open the page at `cdn.sekurak.pl/copy-paste/playground.html` [ref_id=2]. 2. Paste the following code into the "HTML Input" field: `<div class="MsoNormal">foobar<img src="foo" onload="alert(1)" onerror="alert(2)"/></div>` [ref_id=2]. 3. Click "Copy as HTML" [ref_id=2]. 4. Open `http://textangular.com` (or any page using textAngular) [ref_id=2]. 5. Paste into the text editor. The `alert()` will fire, demonstrating XSS [ref_id=2].