On GitHub, you can find our discussion about an issue we believe is an XSS breach in Summernote. Summernote is the Bootstrap compliant Wysiwyg editor that we have implemented in PHsPeed. As we try to make PHsPeed as safe as possible we test our software by the samples that can be found on the OWASP website. Now there are different 'truths' here, and I must admit that the developers of Summernote have some points in their response. The key issue is that if you send a piece of text that contains malicious code, it is sent to the server. There the tags are replaced by encoded tags. However when the text is sent back, then these encoded tags are translated back to the unencoded tags, and that causes the text not to be shown as entered, but it gets executed — an XSS issue. As regular edit fields and fields do not have this behavior (they show the code as text) I think it is a design issue in Summernote. But, as I wrote above, there are more 'truths' in this matter.
In the first place, it is a bad idea to enter tags in an editor anyhow. I could not post the code from OWASP here on this site because it is configured to remove the full page when it suspects malicious code. Sometimes the text gets sanitized by so that scripts are removed etc. These methods are destructive. In most this is not an issue at all. But it could be if you use the editor to enter scripts in your application.
We have introduced special properties in the system to sanitize code, in a destructive way, and by encoding only (which is not enough for !)
If you put a Summernote component on your form then by default the is set. Therefore the component is safe by default. But if you change properties, then you might become in a state where the component is not safe. It depends on your use. If you develop, you need to be aware of the security risks that you can introduce. That can occur if you set wrong properties, but also if you write your own code in events. It's a good practice to read the OWASP website and try the samples that are published there. If you find issues that are not caused by your own application code, then please let us know. We want to make a product that is as safe as possible, but it's always a between the 'bad guys' and the 'good guys.' Being aware is, at least, a good first step. Happy coding!
Owasp website: https://www.owasp.org/
Owasp xss: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)