plone.app.textfield: Stored XSS by spoofing mime type
Moderate severity
GitHub Reviewed
Published
Jun 5, 2026
in
plone/plone.app.textfield
•
Updated Jul 17, 2026
Package
Affected versions
< 2.0.2
>= 3.0.0, < 3.0.2
= 4.0.0
Patched versions
2.0.2
3.0.2
4.0.1
Description
Published to the GitHub Advisory Database
Jul 17, 2026
Reviewed
Jul 17, 2026
Last updated
Jul 17, 2026
Impact
A stored XSS affecting RichText fields. RichTextValue.output returns the raw, unsanitized stored value whenever the stored mimeType equals the outputMimeType. Because the safe-HTML output type (
text/x-html-safe) is the type that signifies "already sanitized", any value whose stored mimeType equals it bypasses the safe_html transform entirely on render. The transform itself is sound — it correctly stripson*event-handler attributes andjavascript:/data:URIs; the defect is that it is never invoked for these values. The unsanitized value is then emitted viatal:content="structure ...", which performs no escaping, so the payload executes in the viewer's browser.This can be a problem when a RichText field is wrongly defined in code with a
mimeTypeandoutputMimeTypethat are the same, or when the REST API is used to the same effect.Patches
The problem has been patched:
plone.app.textfieldto 2.0.2.plone.app.textfieldto 3.0.2.plone.app.textfieldto 4.0.1.Workarounds
There is no known workaround.
References