Coordinated Disclosure Timeline
- 2022-05-12: Opened an issue asking for a security contact
- 2022-05-16: Asked for a security contact email@example.com (Undelivered)
- 2022-06-12: Asked for a security contact firstname.lastname@example.org
- 2022-06-21: email@example.com contacts the Security Lab regarding the opened issue
- 2022-06-21: Report sent to firstname.lastname@example.org
- 2022-07-14: The vulnerability is fixed.
nhn/tui.grid component is vulnerable to XSS attacks when pasting specially crafted content into editable cells.
Toast UI Grid
Issue: XSS pasting HTML in editable cell (
There is a vulnerability when specially crafted html content is pasted in an editable cell.
- Open https://cdn.sekurak.pl/copy-paste/playground.html
<img src="" onerror="alert(123)" />into the HTML Input box and click
Copy as HTML
- Go to https://ui.toast.com/tui-grid
- Double click an input cell (eg. one in the “Artist” column), and paste the HTML you copied in .
- Exit the cell by clicking any other cell.
This issue may lead to XSS.
- Fix commit.
This issue was discovered by CodeQL team members @kaeluka (Stephan Brandauer) and @erik-krogh (Erik Krogh Kristensen), using a CodeQL query originally contributed by community member @bananabr (Daniel Santos).
You can contact the GHSL team at
email@example.com, please include a reference to
GHSL-2022-029 in any communication regarding this issue.