Skip to content

build(deps): bump jodit from 4.12.26 to 4.12.27#4410

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/jodit-4.12.27
Open

build(deps): bump jodit from 4.12.26 to 4.12.27#4410
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/jodit-4.12.27

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 24, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps jodit from 4.12.26 to 4.12.27.

Changelog

Sourced from jodit's changelog.

Changelog

Tags:

  • 💥 [Breaking Change]
  • 🚀 [New Feature]
  • 🐛 [Bug Fix]
  • 📝 [Documentation]
  • 🏠 [Internal]
  • 💅 [Polish]

4.12.28

🐛 Bug Fix

  • Security / clean-html (mutation XSS, CWE-79): the HTML sanitizer (safeHTML) walked the parsed value as elements, but a handler smuggled as <style> rawtext inside a MathML/SVG foreign-content carrier (e.g. math > mtext > table > mglyph > style hiding an <img onload=…>) was never an element during that walk. A later serialize-reparse then hoisted the <img> out of <style> into a live HTML node with its on* handler intact, so an application that re-rendered editor.value could execute attacker script with no user interaction — a stored XSS in the default config affecting all 3.x/4.x through 4.12.27. The fix drops the smuggled HTML at the source: any HTML-namespace element the parser placed inside <math>/<svg> outside an integration point (foreignObject/annotation-xml/desc/title) is removed before the walk, which also covers carriers nested one level deeper without a re-parse loop. Legitimate MathML/SVG content and top-level <style>/<script> are preserved. Responsibly reported by Younghun Ko of AhnLab (@​koyokr) (GHSA-rxcw-mc6f-6hr3).
Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file JavaScript Pull requests that update Javascript code labels Jun 24, 2026
@dependabot
build(deps): bump jodit from 4.12.26 to 4.12.27
c10fcd9 
Bumps [jodit](https://github.com/xdan/jodit) from 4.12.26 to 4.12.27.
- [Release notes](https://github.com/xdan/jodit/releases)
- [Changelog](https://github.com/xdan/jodit/blob/main/CHANGELOG.md)
- [Commits](xdan/jodit@4.12.26...4.12.27)

---
updated-dependencies:
- dependency-name: jodit
  dependency-version: 4.12.27
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/jodit-4.12.27 branch from 17b67ed to c10fcd9 Compare June 24, 2026 17:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file JavaScript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants