Merge branch 'hotfix/3.0.3' - Security hotfix v3.0.3

Author: kolkov

CHANGELOG.md

@@ -1,3 +1,23 @@
+<a name="3.0.3"></a>
+## [3.0.3](https://github.com/kolkov/angular-editor/compare/v3.0.2...v3.0.3) (2025-01-22) - Security Hotfix
+
+### Security
+* **CRITICAL:** Fixed XSS vulnerability in `refreshView()` method ([#580](https://github.com/kolkov/angular-editor/issues/580)) ([774a97d](https://github.com/kolkov/angular-editor/commit/774a97d))
+  - XSS could bypass sanitizer when setting editor value via ngModel/formControl
+  - Sanitization now properly applied to all innerHTML assignments
+  - Thanks to @MarioTesoro for responsible disclosure with PoC
+
+### Bug Fixes
+* **links:** Preserve relative URLs when editing existing links ([#359](https://github.com/kolkov/angular-editor/issues/359)) ([c691d30](https://github.com/kolkov/angular-editor/commit/c691d30))
+  - Use `getAttribute('href')` instead of `.href` property
+  - Prevents adding hostname to relative paths
+* **debug:** Remove debug `console.log` statement from focus() method ([#324](https://github.com/kolkov/angular-editor/issues/324)) ([c691d30](https://github.com/kolkov/angular-editor/commit/c691d30))
+
+### Upgrade Recommendation
+**IMMEDIATE UPGRADE RECOMMENDED** for all users. This release fixes a critical security vulnerability.
+
+---
+
 <a name="3.0.2"></a>
 ## [3.0.2](https://github.com/kolkov/angular-editor/compare/v3.0.1...v3.0.2) (2025-01-22)
 

projects/angular-editor/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kolkov/angular-editor",
-  "version": "3.0.2",
+  "version": "3.0.3",
   "description": "A simple native WYSIWYG editor for Angular 20+. Rich Text editor component for Angular.",
   "author": "Andrey Kolkov <a.kolkov@gmail.com>",
   "repository": "https://github.com/kolkov/angular-editor",

projects/angular-editor/src/lib/ae-toolbar/ae-toolbar.component.ts

@@ -260,8 +260,10 @@ export class AeToolbarComponent {
     const selection = this.editorService.savedSelection;
     if (selection && selection.commonAncestorContainer.parentElement.nodeName === 'A') {
       const parent = selection.commonAncestorContainer.parentElement as HTMLAnchorElement;
-      if (parent.href !== '') {
-        url = parent.href;
+      // Use getAttribute to preserve relative URLs instead of href which returns absolute URL
+      const href = parent.getAttribute('href');
+      if (href !== '' && href !== null) {
+        url = href;
       }
     }
     url = prompt('Insert URL link', url);
@@ -380,6 +382,5 @@ export class AeToolbarComponent {
 
   focus() {
     this.execute.emit('focus');
-    console.log('focused');
   }
 }

projects/angular-editor/src/lib/editor/angular-editor.component.ts

@@ -275,7 +275,11 @@ export class AngularEditorComponent implements OnInit, ControlValueAccessor, Aft
    */
   refreshView(value: string): void {
     const normalizedValue = value === null ? '' : value;
-    this.r.setProperty(this.textArea.nativeElement, 'innerHTML', normalizedValue);
+    // Apply sanitization to prevent XSS when setting innerHTML
+    const sanitizedValue = this.config.sanitize !== false
+      ? this.sanitizer.sanitize(SecurityContext.HTML, normalizedValue)
+      : normalizedValue;
+    this.r.setProperty(this.textArea.nativeElement, 'innerHTML', sanitizedValue);
 
     return;
   }