Closed Erreinion closed 11 years ago
Thanks. I think its been assumed that all notes will come from a trusted source but given the ability to share and publish lists, this can't be assured. Have you any suggestions to remove this vulnerability?
Perhaps a sanitizer like Caja?
There are a few libraries that you can use.
OWASP ESAPI (https://www.owasp.org/index.php/ESAPI)
Check out OWASP's "XSS CheatSheet" for more tips and approaches: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
by adding:
<script>document.location="http://google.com";</script>
I can reliably redirect WorkFlowy when exporting or drilling down into the note.There is no issue if the code is surrounded by `` or when the extension is disabled.