The latest articles on DEV Community by prince singwal (@prince_singwal_b00ae29d5d). https://dev.to/prince_singwal_b00ae29d5d https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3958033%2F74b38af6-7ee2-4e8d-83bf-dcbdada4a8a9.png https://dev.to/prince_singwal_b00ae29d5d en prince singwal Fri, 29 May 2026 08:22:39 +0000 https://dev.to/prince_singwal_b00ae29d5d/finding-vulnerable-quilljs-usage-in-production-applications-226i https://dev.to/prince_singwal_b00ae29d5d/finding-vulnerable-quilljs-usage-in-production-applications-226i <h1> Finding Vulnerable Quill.js Usage in Production Applications </h1> <p>While testing a web application recently, I noticed that the platform was loading an outdated version of Quill.js from a static asset URL.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwul4mvkvggu6g25upyxy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwul4mvkvggu6g25upyxy.png" alt="Vulnerable Quill.js 1.3.6" width="800" height="491"></a></p> <p>The application was using:</p> <ul> <li>Quill.js <code>1.3.6</code> </li> </ul> <p>After checking the version, I found that this release is affected by multiple publicly disclosed security issues.</p> <h2> What is Quill.js? </h2> <p>Quill.js is a popular rich text editor used in many modern web applications for chat systems, post editors, comments, messaging features, and internal dashboards.</p> <p>Because rich text editors process user-controlled HTML content, outdated versions can introduce serious client-side security risks.</p> <h2> Vulnerabilities Identified </h2> <h3> 1. Reverse Tabnabbing </h3> <p>Affected Versions:</p> <ul> <li>Quill.js <code>&lt; 1.3.7</code> </li> </ul> <p>Severity:</p> <ul> <li>Medium</li> </ul> <p>Reference:</p> <ul> <li>GHSA-588m-9qg5-35pq</li> </ul> <h3> Technical Details </h3> <p>The vulnerable implementation uses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>target="_blank" </code></pre> </div> <p>without:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>rel="noopener" </code></pre> </div> <p>This allows the newly opened page to access:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nb">window</span><span class="p">.</span><span class="nx">opener</span> </code></pre> </div> <p>An attacker-controlled page can manipulate the original tab and potentially redirect users to phishing pages.</p> <h3> Example Attack Flow </h3> <ol> <li>Victim clicks a malicious link inside editor content</li> <li>A new tab opens</li> <li>The attacker-controlled page executes: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nb">window</span><span class="p">.</span><span class="nx">opener</span><span class="p">.</span><span class="nx">location</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">https://fake-login-page.com</span><span class="dl">"</span><span class="p">;</span> </code></pre> </div> <ol> <li>The original application tab gets replaced with a phishing page</li> </ol> <p>This issue is commonly known as Reverse Tabnabbing.</p> <h2> 2. Stored XSS via IMG onloadstart Attribute </h2> <p>Affected Versions:</p> <ul> <li>Quill.js <code>1.3.6</code> </li> </ul> <p>Reference:</p> <ul> <li>GHSA-4943-9vgg-gr5r</li> <li>CVE-2021-3163</li> </ul> <p>Severity:</p> <ul> <li>Medium</li> </ul> <h3> Technical Details </h3> <p>The HTML editor can allow dangerous attributes on user-controlled HTML content.</p> <p>A crafted payload using the <code>onloadstart</code> attribute on an <code>IMG</code> tag may trigger arbitrary JavaScript execution.</p> <p>Example payload:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;img</span> <span class="na">src=</span><span class="s">x</span> <span class="na">onloadstart=</span><span class="s">alert(document.domain)</span><span class="nt">&gt;</span> </code></pre> </div> <p>If user input is improperly sanitized before rendering, this can lead to Stored Cross-Site Scripting (Stored XSS).</p> <p>The interesting part is that this issue is disputed by some maintainers because the behavior may depend on browser handling rather than Quill itself. However, from a security testing perspective, allowing executable event handlers in rendered content still creates real attack surface.</p> <h2> Why This Matters </h2> <p>Outdated frontend libraries are often overlooked during security reviews.</p> <p>Many organizations focus heavily on backend vulnerabilities while client-side dependencies remain outdated for years.</p> <p>Rich text editors are especially sensitive because they directly process HTML content generated by users.</p> <p>Even medium-severity issues can become dangerous when combined with:</p> <ul> <li>Session-based authentication</li> <li>Admin panels</li> <li>Internal messaging systems</li> <li>Content management features</li> </ul> cybersecurity javascript security webdev