Joan

**Name of the Vulnerable Software and Affected Versions** @udecode/plate-core versions prior to 21.5.1 and 36.5.9 **Description** The issue concerns a longstanding feature in Plate that allows adding custom DOM attributes to elements or leaves using the `attributes` property, which can be used for malicious purposes, including cross-site scripting (XSS) and information exposure. This can lead to the exposure of users' IP addresses and whether they have opened a malicious document. The risk is particularly relevant in applications where web requests to arbitrary URLs are not ordinarily allowed. Plate editors using affected versions of @udecode/plate-core are vulnerable to these information exposure attacks via the `style` attribute and other attributes that can cause web requests to be sent. The most likely DOM attributes to be vulnerable are `href` and `src` on links and iframes, respectively. **Recommendations** For Plate >= 37, specify the list of allowed attribute names in the `node.dangerouslyAllowAttributes` plugin configuration option for custom plugins. For Plate < 37, specify the list of allowed attribute names in the `dangerouslyAllowAttributes` plugin configuration option for custom plugins. If you are unable to upgrade to any of the patched versions, use a tool like `patch-package` or `yarn patch` to remove the logic from @udecode/plate-core that adds `attributes` to `nodeProps`.

**Name of the Vulnerable Software and Affected Versions** @udecode/plate-media versions prior to 36.0.10 **Description** The issue affects editors that use `MediaEmbedElement` and pass custom `urlParsers` to the `useMediaState` hook, potentially allowing XSS if a custom parser permits `javascript:`, `data:` or `vbscript:` URLs to be embedded. Editors not using `urlParsers` and consuming the `url` property directly may also be vulnerable if the URL is not sanitized. The default parsers `parseTwitterUrl` and `parseVideoUrl` are not affected. **Recommendations** For versions prior to 36.0.10, ensure that any custom `urlParsers` do not allow `javascript:`, `data:` or `vbscript:` URLs to be returned in the `url` property of their return values. If `url` is consumed directly, validate the URL protocol before passing it to the `iframe` element. Upgrade to version 36.0.10 to resolve the issue, as it only allows HTTP and HTTPS URLs during parsing. If using the `url` property directly from `useMediaState` or `element`, validate the URL yourself, as these properties are not sanitized.