XSS vulnerability in link popover

Severity: High

The Link Popover UI Component accepted malicious URLs, allowing potential XSS attacks.

Affected components

Link popover component until Jun 25, 2025, 9:39 PM GMT+2
Simple editor template until Jun 25, 2025, 9:39 PM GMT+2

Not affected

Other UI components or templates
The Link extension itself
Components or templates downloaded after Jun 25, 2025, 9:39 PM GMT+2

Why it happened

The component skipped editor.commands.setLink(), which normally rejects schemes such as javascript:, to stay functional even when the Link extension was missing. Because of that shortcut, no validation ran at all. Neither when the link was inserted nor when the user clicked the »Open in new window« button.

Note

The Link extension itself includes proper URL validation (see isAllowedUri).

What's the fix

We now call editor.commands.setLink() for every link insertion and, in addition, run a separate URL check whenever the »open in new window« button is pressed.

How to update

To update the code in your existing project run the following command in your terminal:

npx @tiptap/cli@latest add link-popover

This will download the latest version of the link popover UI component.

Credits

Thanks to Daniyal Nasir for reporting this vulnerability.