We are doing R&D on form.io JS library, while doing research we found a potential XSS vulnerability.
The issue arises when specific text is entered during the addition of a component.
To replicate, drag and drop a component and paste the following code into the Tooltip text area:

<img src=x onerror=window.open('https://www.google.com/');>

Immediately after pasting, it triggers a new tab to open.
Additionally, once saved or if any further modification is made to the form, it causes redirections with each action.

Hey thanks @RahulKhandelwal17 - we're aware of this issue and it will be fixed in the next coming version.

Fixed by: #5392