Impact
XSS vulnerability due to improperly sanitizing URLs of links that can be attached on canvas elements. This affects users of the npm package @excalidraw/excalidraw provided it was deployed in environments where untrusted user input in drawings that are then shared with third parties is a concern. If you only hosted the editor in trusted environments, or sharing didn't take place, the impact is minimized.
Patches
Patch is available on version 0.15.3 and up (stable), or latest @excalidraw/excalidraw@next (unstable releases).
Workarounds
No workaround without upgrading unless deployed in environments without untrusted user input.
References
https://security.snyk.io/vuln/SNYK-JS-EXCALIDRAWEXCALIDRAW-5841658
#6728
Impact
XSS vulnerability due to improperly sanitizing URLs of links that can be attached on canvas elements. This affects users of the npm package
@excalidraw/excalidrawprovided it was deployed in environments where untrusted user input in drawings that are then shared with third parties is a concern. If you only hosted the editor in trusted environments, or sharing didn't take place, the impact is minimized.Patches
Patch is available on version 0.15.3 and up (stable), or latest
@excalidraw/excalidraw@next(unstable releases).Workarounds
No workaround without upgrading unless deployed in environments without untrusted user input.
References
https://security.snyk.io/vuln/SNYK-JS-EXCALIDRAWEXCALIDRAW-5841658
#6728