Quill editors CVE-2021-3163 is another example of how confusing identifying security boundaries and evaluating #CVE data can be: the project thinks it's not their responsibility to filter data incoming from the (trusted) server, while many users assume the frontend component will handle such cases for them securely.

I got a bunch of nice stored XSS vulns as a result in real-world apps even recently.

https://github.com/quilljs/quill/issues/3364#issuecomment-901806341

#CveCrowdDeny