Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Editor.js is a block-style editor with clean JSON output. Versions prior to 2.26.0 is vulnerable to Code Injection via pasted input. The processHTML method passes pasted input into wrapper’s innerHTML. This issue is patched in version 2.26.0.