CVE-2019-17022 in Firefox
Summary
by MITRE
When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not escape < and > characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently copies the node's innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability. Two WYSIWYG editors were identified with this behavior, more may exist. This vulnerability affects Firefox ESR < 68.4 and Firefox < 72.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/20/2026
This vulnerability represents a sophisticated cross-site scripting risk that emerges from improper handling of HTML content within rich text editors. The flaw occurs specifically when users paste content containing style tags from the clipboard into web-based text editors, where the CSS sanitizer fails to properly escape less than and greater than characters. While the immediate impact appears contained within the editor's internal processing, the vulnerability creates a dangerous chain reaction that can lead to persistent XSS attacks. The technical implementation involves a failure in the sanitization process where the system assumes that content pasted into a text node will remain isolated, but this assumption proves incorrect when subsequent operations copy the innerHTML content elsewhere in the document.
The vulnerability operates through a multi-stage attack vector that begins with seemingly innocuous clipboard operations and escalates to full exploitation. When users paste content containing style tags, the sanitizer processes the CSS but leaves the angle brackets unescaped, creating a malformed HTML structure. This structure becomes problematic when the editor's innerHTML is later assigned to another element's innerHTML property, as the browser's HTML parser will then interpret the unescaped characters as actual HTML tags. The vulnerability affects Firefox ESR versions prior to 68.4 and standard Firefox versions before 72, indicating this was a widespread issue across multiple browser releases. The flaw demonstrates a classic case of insufficient input validation and output encoding, where the system fails to properly sanitize content for its intended context, leading to a security boundary violation.
The operational impact of this vulnerability extends beyond simple content manipulation, creating a persistent threat vector that can compromise user sessions and data integrity. Attackers can craft malicious clipboard content that, when pasted into vulnerable editors, remains dormant until the content is later copied and reinserted into other HTML contexts. This creates a time-dependent attack scenario where the initial compromise occurs during clipboard operations, but the actual exploitation happens during subsequent HTML processing. The vulnerability affects two specific WYSIWYG editors, suggesting that this is not an isolated issue but rather a pattern of implementation flaws in rich text editor components. This aligns with CWE-79, which describes cross-site scripting vulnerabilities resulting from improper sanitization of user-provided data. The issue also relates to ATT&CK technique T1059.001, which involves command and scripting interpreter usage, as the vulnerability enables malicious code execution through HTML content manipulation.
The security implications of this vulnerability are particularly concerning given the prevalence of rich text editors in web applications. The flaw represents a failure in the principle of least privilege, where the system does not properly validate or sanitize content that will be processed in multiple contexts. The vulnerability's persistence across multiple Firefox releases indicates that the sanitization logic was fundamentally flawed rather than being a simple implementation oversight. Organizations using affected browsers or applications should implement immediate mitigations including browser updates, content security policy enforcement, and additional input validation layers. The vulnerability highlights the importance of context-aware sanitization where content must be properly escaped for its specific destination context rather than relying on a single sanitization pass. This case demonstrates how seemingly minor oversights in HTML processing can create significant security risks when content flows through multiple processing stages within web applications.