search

amitmerchant1990 / electron-markdownify

:closed_book: A minimal Markdown editor desktop app
https://markdownify.js.org
MIT License
973 stars 939 forks source link

XSS to RCE - re-opened #26

Open silviavali opened 6 years ago

silviavali commented 6 years ago

Hello,

Why would you close an issue, without any information on the decision why you have marked it invalid? https://github.com/amitmerchant1990/electron-markdownify/issues/25

You have a nice blog post about the electorn-markdownify, and I think its is a good application. It would be a pity if you just leave the security issue in there and allow people to keep using it.

Please do check the security checklist for Electron to be aware of the consequences of code execution in Electron applications due to XSS. https://www.blackhat.com/docs/us-17/thursday/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security-wp.pdf

In 90 days I'd disclose information on the issue, so I'm hoping for your collaboration in fixing the issue prior.

Thanks

amitmerchant1990 commented 6 years ago

Hey @silviavali

Please send the report to bullredeyes@gmail.com I'll take a look at it and will try to fix the same. Sorry for the very late follow up.

Thanks!