| Version | Supported |
|---|---|
| 3.x.x | ✅ |
| < 3.0 | ❌ |
To report a security vulnerability:
- Do NOT open a public issue
- Email security concerns to the maintainers via GitHub private vulnerability reporting
- Or open a private security advisory at: https://github.com/kolkov/angular-editor/security/advisories/new
We will respond within 48 hours and work with you to understand and address the issue.
angular-editor is a WYSIWYG rich text editor that handles user-generated HTML content. Security considerations include:
- XSS prevention: DomSanitizer is enabled by default (
sanitize: truein config) - Content sanitization: All HTML input is sanitized before rendering
- execCommand API: The editor uses the browser's native
document.execCommand()for text formatting - Image uploads: When using custom upload functions, ensure server-side validation
We follow responsible disclosure practices:
- Reporter notifies us privately
- We acknowledge and investigate
- We develop and test a fix
- We release the fix and credit the reporter (if desired)
- We publish a security advisory