Kendo UI for Angular Editor Component (npm package @progress/kendo-angular-editor) before version 1.2.3 is vulnerable to Cross-Site Scripting. When the Editor content contains potentially malicious scripts in element event handlers, they get executed.
Adding the following content to the Editor value demonstrates the issue: <img src="" onerror=alert(document.domain)>.

References

• https://stackblitz.com/edit/angular-6xzuzp-tef7lb?file=app/app.component.ts
• https://www.npmjs.com/advisories/1549
• https://github.com/telerik/kendo-angular-editor