Open oneschirm opened 3 years ago
Thank's a lot, and very good point.
Problem is, that formiko use javascript for scrolling page at this moment. So this fix can't be so easy.
One can set enable-javascript-markup
to FALSE
. This would effectively remove all JavaScript from the page while still allowing you to run webkit_web_view_run_javascript ()
.
Issue: The default markdown preview pane in formiko is vulnerable to XSS and loading arbitrary external content.
Steps to reproduce: