fabiocolacio
commented
4 years ago Hi, can you elaborate on this @eldr0n? What is the problem exactly and what are the steps to reproduce it?
Open eldr0n opened 4 years ago
fabiocolacio
commented
4 years ago Hi, can you elaborate on this @eldr0n? What is the problem exactly and what are the steps to reproduce it?
eldr0n
commented
4 years ago Sorry for the late reply. With a link it's possible.
[link](javascript:alert("hello"))If you click on the link the marker runs the js.
fabiocolacio
commented
4 years ago Interesting. The main way I can see this becoming an issue is from user-included scripts and internet access (i.e. you think you have included a link to an image in your markdown but instead it is a script that is being run). Personally, I think internet access is an unencessary risk and I had it disabled in the flatpak previously. It was later enabled because people wanted to be able to render remote images.
In any case, I am planning to incorporate the JavaScript features at compile-time, which would allow us to disable javascript alltogether in the webview and prevent this from being exploited.
vlisivka
commented
3 years ago Keeps your hands off from this feature. If you need a safe editor, use the safe editor, such as notepad, please. Scripting makes marker excellent for engineering calculations, then just print to PDF. Example:
hello i use markers often and it's great, but js injections are possible. i don't know exactly how much damage it can do, but i don't think it should be possible.