Firefox before 81.0 sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a content-editable element.
Firefox before 81.0 sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a content-editable element.
https://www.mozilla.org/en-US/security/advisories/mfsa2020-42/#CVE-2020-15676 https://bugzilla.mozilla.org/show_bug.cgi?id=1646140