Closed whassa closed 4 years ago
Kamalisk
commented
4 years ago thanks for the report. I guess that has been there for a while. For now I have disabled the html stuff from deck views. Decklists are escaped properly, will have to update decks to use the same, but for now the descriptions show up as plain text.
whassa
commented
4 years ago Super thanks for the great work !
tdctaz
commented
4 years ago Ok, so this is why my notes turned into html
Yeah, nicely spottet and quickly disabled
Kamalisk
commented
4 years ago used dompurify to clean up the description and re-enabled it. Should suffice for now unless I change how it works.
I've found a way to inject javascript into the view and it was by saving the script in notes of the edit deck.
I made a quick script on this page to show the logged user first deck list to show that it could become dangerous. It could also made request to other server such as google so information could be sent to others. Here's the deck list example. https://arkhamdb.com/deck/view/1079700
Example of the attack: