In the "Allowed HTML tags" of Filter settings (eg. admin/config/content/formats/manage/basic_html), it's saving & display RAW user inputs. It allowed to hijack anything into tags.
You can see this vulnerability by:
1. Go to admin/config/content/formats/manage/basic_html
2. Paste `
<img src=x onerror=alert(1)>` into "Allowed HTML tags"
3. Save or blur input
4. Edit again (executed on blur directly)
A. Use document.implementation.createHTMLDocument. See background details: https://github.com/jquery/jquery/issues/2965
B. Fork CKEditor parser. (below patch just as demo, not the final fork copy)
Pros: (It may able to share same data structures with CKEditor config.)
- Pick a workaround
- Code Patch & Tests
User interface changes
- N / A
Data model changes