1-alex98
commented
1 year ago As it is right now I am able to do RCE if I control a markdown link that a user clicks. I can use XSS to set target to open the link inside electron and not the browser. Thereby redirecting the user to JS I control. Since "nodeIntegration" is turned on I gain RCE by this. I suggest to santize User Input and not solely rely on dompurify(update: seems like that is not possible easily). Also I would disallow navigation away from the index.hml in electron as suggested by(done in PR) https://www.electronjs.org/docs/latest/tutorial/security#13-disable-or-limit-navigation
Among input sanitization https://www.electronjs.org/docs/latest/tutorial/security#13-disable-or-limit-navigation