Plate media plugins has a XSS in media embed element when using custom URL parsers
Editors that use MediaEmbedElement and pass custom urlParsers to the useMediaState hook may be vulnerable to XSS if a custom parser allows javascript:, data: or vbscript: URLs to be embedded. Editors that do not use urlParsers and instead consume the url property directly may also be vulnerable if the URL is not sanitised. The default parsers parseTwitterUrl and parseVideoUrl are not affected. Examples of vulnerable code: const { embed } …