Description
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the @cyntler/react-doc-viewer package (v1.17.1). The vulnerability exists in the TXTRenderer component, which renders raw file content from .txt files by explicitly casting it as a ReactNode without any sanitization.
Vulnerable Code
In src/renderers/txt/index.tsx:
{currentDocument?.fileData as ReactNode}
##Proof of Concept (PoC)
To reproduce the vulnerability, create a file named exploit.txt with the following content and load it into the viewer:
<h1 style="color: red;">Vulnerable!</h1>
<script>alert('XSS_SUCCESS'); document.body.style.background='red';</script>
<img src=x onerror="console.log('XSS_Executed_Successfully')">
##mpact
An attacker can execute arbitrary JavaScript in the victim's browser context. This can lead to:
Session Hijacking via Cookie theft.
Unauthorized actions performed on behalf of the user.
Website defacement and phishing attacks.
##Recommended Fix
Sanitize the input using a library like DOMPurify before rendering, or avoid casting raw strings to ReactNode.
<!-- Failed to upload "Screenshot from 2026-02-13 06-40-36.png" -->
Description
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the
@cyntler/react-doc-viewerpackage (v1.17.1). The vulnerability exists in theTXTRenderercomponent, which renders raw file content from.txtfiles by explicitly casting it as aReactNodewithout any sanitization.Vulnerable Code
In
src/renderers/txt/index.tsx: