nexterday
commented
3 years ago Can you inject/insert javascript in the drawing? try it and let me know.
Closed daniil-berg closed 2 years ago
nexterday
commented
3 years ago Can you inject/insert javascript in the drawing? try it and let me know.
As far as I can see from the
formulation_and_controlsfunction in renderer.php as well as from just inspecting the extended drawing capabilities, only SVG embedding is used. Since it is possible to include Javascript in SVGs, this poses a serious security risk. One could for example imagine a case where a student injects code into his submission that then runs on the teacher's end performing actions under the teacher's account. This could be mitigated by using animg-Tag for embedding which does not allow scripting.