Security Issue: Elaho executes HTML tags in text/plain responses

[acidus99]

Hi, I’m a big fan of Elaho, and I discovered a security vulnerability in the latest version (possibly earlier ones as well)

If a file is served with a “text/plain” MIME type, Elaho will render HTML any tags it discovers, including <b>, <u>, but also link tags <a>. You can put a javascript: URI in the Link text, and if you click it, it executes JavaScript. Here is a screen shot of me popping a standard alert() box. You can also see some HTML tags rendered:

You can test this yourself here: gemini://gemi.dev/hack.txt

I don’t know the full impact of this. I’ve only done a little digging but I am pretty worried about this. It really depends on what the what context / origin the JavaScript is executing in. I can see and call functions on the document and window object. At the very least I can alter the page, and trick the user, or start an infinite list of alert boxes, making the application unusable. Since Elaho reopens tabs on startup, the application would be very difficult to use since it would re-render (and lock up again) the malicious page.

I came across this because I was reading a text file and half of it was all using the Strike through style. Turns out the file had a <S> text sequence.