react-quill icon indicating copy to clipboard operation
react-quill copied to clipboard

Published 20 hours ago verified publisher icon zenoamaro

Cross-site Scripting in quill in Quill 1.3.7 (CVE-2021-3163)

Open nbouvrette opened this issue 1 year ago • 6 comments

As detailed here https://github.com/advisories/GHSA-4943-9vgg-gr5r there is security vulnerability being tracked and it is also being reported when installing React-quill with npm:

quill  <=1.3.7
Severity: moderate
Cross-site Scripting in quill - https://github.com/advisories/GHSA-4943-9vgg-gr5r
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/quill
  react-quill  >=0.0.3
  Depends on vulnerable versions of quill
  node_modules/react-quill

It looks like this is being tracked here: https://github.com/quilljs/quill/issues/3364 (+2 years old issue!?)

I'm not too sure what are the references about Quill 2 because the last Quill release dates from 2019... not too sure what is going on?

nbouvrette avatar Sep 01 '23 23:09 nbouvrette

See https://github.com/quilljs/quill/issues/3768#issuecomment-1654873923, we will update when they release 2.0 stable

alexkrolick avatar Sep 15 '23 00:09 alexkrolick

in the meantime, could we generate a 2.0.0-dev.1 release of react-quill that uses https://www.npmjs.com/package/quill/v/2.0.0-dev.3 ?

matthew-cook-dxd avatar Nov 14 '23 16:11 matthew-cook-dxd

https://github.com/zenoamaro/react-quill/pull/711 if someone wants to get this PR up to date with the suggestions in the discussion

alexkrolick avatar Nov 17 '23 18:11 alexkrolick

Hello. The issue is still here. Do you have an update on this?

freddsomm avatar Mar 16 '24 15:03 freddsomm

+1

jeannnemelanie avatar Mar 25 '24 15:03 jeannnemelanie

@alexkrolick Quill 2 has been released. https://slab.com/blog/announcing-quill-2-0/

adgoncal avatar Apr 17 '24 13:04 adgoncal