Suggesting to remove Django Quill Editor due to vulnerabilities and low maintenance.

[TimothyMalahy]

Full disclosure, I am struggling to tell if its actively maintained to a reasonable degree. But it also has a XSS vulnerability, and it seems to be quite nice on the surface and I would hate for someone newer to django to accidentally expose themselves to an attack.

I'm newer to the Django packaging side of things - so maybe I'm incorrect, or that's just the riskiness of things with WYSIWYG editors.

At minimum it should be noted in the README that its not designed for django forms, and much better suited for the admin page exclusively.

It was originally added into the README on September 24th, 2021. Apparently when Jeff was really looking into WYSIWYG editors as its 3 of the 4 packages added on that commit? lol

Overall it seems like it might be a good candidate for Jazzband to maintain considering the licensing of quill being very friendly when compared to some other WYSIWYG editors. There is an issue raised for this specific suggestion with no response.

Like I said - this isn't something I'm particularly knowledgeable on, so whatever Jeff/Will feel as I'm quite naive to this side of django - just thought I'd raise the concern and bring up what research I did to help alleviate some of their time to dig into it and notice.

Things I noticed

1. It is depending on Quill.js 1.3.7 which was released on Sep 9, 2019. The Quill.js package has since moved to version 2.0.0 in April of 2024
2. DJango Quill Editor had minor updates - probably due to maintainers time constraint's on Sep 20th of 2024, but it was largely merging a couple of people minor changes, in addition to that making a note on the XSS Attacks, and Prior to that the most recent commits were Feb 7th, 2023 and Jun 20th, 2022.

Sep 20th updates

• Updated dependencies for django extensions, drf, gunicorn, and model-bakery
• Updated django dependency from 4.1.3 to 4.2. Adjusted 1 or 2 tests

Feb 7th 2023 Updates (link)[https://github.com/LeeHanYeong/django-quill-editor/commit/f49eabd65503462f0a9081626dfc66d2d7ddce36]

• Updated docker files from Python:3.10-alpine to 3.10-slim
• Updated from django 3.2.9 to 4.1.3 (This was largely for the playground docker file)
  • Note that Django 4.2 - latest LTS came out April 3rd, 2023 (2 months later)
  • Note 3.2.9 Was release November 1st, 2021.

Prior to that there was

• 3 commits in Jun 20, 2022.
• 1 commit Feb 8, 2022
• commits every 2-3 weeks in Jan 2022 back to Dec 6 2021.

[TimothyMalahy]

Note that this has 2 commits because when I saved the readme initially, my editor autoformatted a portion of the readme. My second commit was undoing that - so it appears I made a lot of changes, but it was actually

Commit changes (autoformat + the removal of django-quill-editor) --> commit changes undoing autoformat --> Merge.

The Files Changed tab paints a much better picture of my changes.

[jefftriplett]

This predates my time on the project. I think you are seeing a cleanup/lint commit I did. fba7264 was the origin of the addition.

I'm fine with removing this given the security concern. That's before my time.

[jefftriplett]

@TimothyMalahy thank you for raising this concern.

[TimothyMalahy]

This predates my time on the project. I think you are seeing a cleanup/lint commit I did. fba7264 was the origin of the addition.

I'm fine with removing this given the security concern. That's before my time.

Ahh my mistake, sorry about that! I just used the git cli and definitely not used to it that way.

My last project at work made it look like I wrote 80% of the Code base because I ran black on everything and was the last editor lol.

Sorry about that again, didn't mean to come off as accusatory if it did!

[jefftriplett]

All good. No ill-will was assumed. :)