Skip to content

XSS via JSON deserialization bypass in drag-and-drop (Level0InputController)

Low
flavorjones published GHSA-53p3-c7vp-4mcc Mar 26, 2026

Package

bundler action_text-trix (RubyGems)

Affected versions

< 2.1.18

Patched versions

2.1.18
npm trix (npm)
< 2.1.18
2.1.18

Description

Impact

The Trix editor, in versions prior to 2.1.18, is vulnerable to XSS when a crafted application/x-trix-document JSON payload is dropped into the editor in environments using the fallback Level0InputController (e.g., embedded WebViews lacking Input Events Level 2 support).

The StringPiece.fromJSON method trusted href attributes from the JSON payload without sanitization. An attacker could craft a draggable element containing a javascript: URI in the href attribute that, when dropped into a vulnerable editor, would bypass DOMPurify sanitization and inject executable JavaScript into the DOM.

Exploitation requires a specific environment (Level0InputController fallback) and social engineering (victim must drag and drop attacker-controlled content into the editor). Applications using server-side HTML sanitization (such as Rails' built-in sanitizer) are additionally protected, as the payload is neutralized on save.

Patches

Update Recommendation: Users should upgrade to Trix editor version 2.1.18 or later.

References

The XSS vulnerability was responsibly reported by Hackerone researcher newbiefromcoma.

Severity

Low

CVE ID

No known CVE

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.