PT-2026-36664 · Npm · Locize
Published
2026-04-22
·
Updated
2026-04-22
CVSS v3.1
7.5
High
| Vector | AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L |
Summary
Versions of the
locize client SDK (the browser module that wires up the locize InContext translation editor) prior to 4.0.21 register a window.addEventListener("message", …) handler that dispatches to registered internal handlers (editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, …) without validating event.origin.The pre-patch listener in
src/api/postMessage.js gates dispatch on event.data.sender === "i18next-editor-frame" — that value sits inside the attacker-controlled message payload, not the browser-enforced origin. Any web page that could embed or be embedded by a locize-enabled host — an iframe on a third-party page, a window.open-ed victim, a parent frame reaching down — could send a crafted postMessage and trigger the internal handlers.Impact
Depending on which handler the attacker invokes, distinct consequences follow. All of them share the same root cause: the handlers implicitly assumed the payload came from the real editor iframe.
-
Cross-origin DOM XSS via
editKey/commitKeys: the pre-patchhandleEditKeyassigned attacker-controlled payload values toitem.node.innerHTMLand toitem.node.setAttribute(attr, value). That allowed planting<script>,<img onerror>, oronclick/onload/onfocusevent handlers; and on attribute writes,href="javascript:…"/src="data:text/html,<script>…"/style="…"/ etc. -
api.source/api.originhijack viaisLocizeEnabled: the handler setapi.source = e.source; api.origin = e.origin— attacker-controlled values. All subsequentsendMessagecalls (which post translations, callbacks, etc., back towardapi.source) would go to the attacker window rather than the real editor, leaking translation content and any metadata the SDK forwards. -
CSS-injection / layout-escape via
requestPopupChanges:containerStyle.height/.widthwere interpolated intocalc()expressions andpopup.style.setProperty()without validation, allowing attackers to inject additional CSS declarations (semicolons,behavior:url()on legacy IE, CSS-exfil patterns) into the popup inline style.
Exploitation requires the attacker-owned page to share a window reference with the locize-enabled host: typical vectors are an
iframe on an attacker-controlled page, a window.opener/window.open relationship, or a parent frame that can postMessage into an embedded locize host. The SDK intended model is that only the editor iframe at https://incontext.locize.app (or the configured staging/development origin) can reach these handlers.Affected versions
All versions of
locize prior to 4.0.21.Patch
Fixed in 4.0.21. Two layers:
-
Primary — validate
event.originat the top ofwindow.addEventListener("message", …)insrc/api/postMessage.js. The expected origin is the configured iframe origin (getIframeUrl()), so custom environments continue to work. Messages from any other origin are silently dropped before any handler runs. -
Defence-in-depth —
handleEditKeynow rejects dangerous attribute-name writes (on*,style) andjavascript:/data:/vbscript:/file:URLs onhref/src/action/formaction/xlink:href;innerHTMLassignments are sanitised through a throwaway DOMParser document (stripping<script>,<iframe>,<object>,<embed>,<link>,<meta>,<base>,<style>plus event handlers and dangerous URL schemes). Legitimate translation formatting (<b>,<em>,<strong>,<a href="https://…">, etc.) passes through. -
CSS-injection —
handleRequestPopupChangesnow requirescontainerStyle.height/.widthto match a strict CSS length pattern; malformed values are dropped silently.
Workarounds
No workaround short of upgrading.
Credits
Discovered via an internal security audit of the locize ecosystem.
Fix
XSS
Origin Validation Error
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Locize