vditor vulnerable to Cross-site Scripting
Description
Vditor is a browser-side Markdown editor. Versions prior to 3.8.7 are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. Version 3.8.7 contains a patch for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
vditornpm | < 3.8.7 | 3.8.7 |
Affected products
2- npm/vditorv5Range: 3.8.7
Patches
Vulnerability mechanics
Root cause
"Missing sanitization of pasted HTML content allows injection of arbitrary JavaScript via copy-paste."
Attack vector
An attacker crafts a malicious HTML payload containing JavaScript event handlers (e.g., `onload`, `onerror`, `onmouseover`) or script tags. The victim must be tricked into copying this payload (e.g., from a malicious webpage or email) and pasting it into the Vditor editor using standard paste operations (Ctrl+V or right-click paste). Because the editor did not sanitize pasted HTML, the malicious script executes in the context of the victim's browser session, leading to cross-site scripting (XSS) [CWE-79]. No authentication or special network position is required beyond the victim visiting a page that embeds Vditor.
Affected code
The vulnerability is in the `paste` function within `src/ts/util/fixBrowserBehavior.ts`. When pasting content, the editor retrieves `doc.body.innerHTML` from the pasted HTML but did not sanitize it before inserting it into the editor's DOM. The patch adds a call to `Lute.Sanitize(textHTML)` on the pasted HTML content before processing it further [patch_id=1706196].
What the fix does
The patch adds a single line in `src/ts/util/fixBrowserBehavior.ts` that calls `Lute.Sanitize(textHTML)` on the pasted HTML content before it is processed and inserted into the editor [patch_id=1706196]. The `Sanitize` method is also declared in the TypeScript type definitions (`types/index.d.ts`). This sanitization strips or escapes malicious HTML elements and attributes (such as script tags and event handlers), preventing the execution of attacker-controlled JavaScript when the pasted content is rendered in the editor.
Preconditions
- inputVictim must copy a malicious HTML payload from an attacker-controlled source (e.g., a webpage, email, or document).
- inputVictim must paste the copied content into a Vditor editor instance (version prior to 3.8.7).
- networkThe Vditor editor must be loaded in the victim's browser, typically on a website that embeds the editor.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-vfmp-9999-6wqjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32855ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2021-1006-vditorghsaADVISORY
- github.com/Vanessa219/vditor/commit/1b2382d7f8a4ee509d9245db4450d926a0b24146ghsaWEB
- github.com/Vanessa219/vditor/issues/1085ghsaWEB
- securitylab.github.com/advisories/GHSL-2021-1006-vditor/mitre
News mentions
0No linked articles in our index yet.