---
title: "XSS vulnerability in link popover"
description: "The Link Popover UI Component accepted malicious URLs, allowing potential XSS attacks."
canonical_url: "https://tiptap.dev/docs/resources/incidents/06-25-2025-link-popover"
---

# XSS vulnerability in link popover

The Link Popover UI Component accepted malicious URLs, allowing potential XSS attacks.

The [Link Popover UI Component](https://tiptap.dev/docs/ui-components/components/link-popover.md) accepted malicious URLs, allowing potential XSS attacks.

**Affected components**

- [Link popover component](https://tiptap.dev/docs/ui-components/components/link-popover.md) until Jun 25, 2025, 9:39 PM GMT+2
- [Simple editor template](https://tiptap.dev/docs/ui-components/templates/simple-editor.md) until Jun 25, 2025, 9:39 PM GMT+2

**Not affected**

- Other UI components or templates
- The Link extension itself
- Components or templates downloaded after Jun 25, 2025, 9:39 PM GMT+2

### Why it happened

The component skipped `editor.commands.setLink()`, which normally rejects schemes such as `javascript:`, to stay functional even when the Link extension was missing. Because of that shortcut, no validation ran at all. Neither when the link was inserted nor when the user clicked the »Open in new window« button.

> **Note:**
>
> The Link extension itself includes proper URL validation (see [isAllowedUri](https://tiptap.dev/docs/editor/extensions/marks/link.md#isalloweduri)).

## What's the fix

We now call `editor.commands.setLink()` for every link insertion and, in addition, run a separate URL check whenever the »open in new window« button is pressed.

## How to update

To update the code in your existing project run the following command in your terminal:

```bash
npx @tiptap/cli@latest add link-popover
```

This will download the latest version of the link popover UI component.

## Credits

Thanks to [Daniyal Nasir](https://dunicot.com) for reporting this vulnerability.