CVE-2023-34245

Name of the Vulnerable Software and Affected Versions @udecode/plate-link versions prior to 20.0.0

Description The issue arises from the lack of URL sanitization in affected versions of the link plugin and link UI component, allowing links with JavaScript URLs to be inserted into the Plate editor. This can occur through various means, including opening or pasting malicious content. The introduction of an allowedSchemes option in version 20.0.0 resolves this issue by only allowing specific URL schemes (http, https, mailto, tel) to be rendered to the DOM.

Recommendations For versions prior to 20.0.0, upgrade to version 20.0.0 to resolve the issue. If unable to upgrade, override the LinkElement and PlateFloatingLink components with implementations that explicitly check the URL scheme before rendering any anchor elements.