search

smorks / keepassnatmsg

KeePass plugin to expose credentials securely to a browser using Native Messaging
GNU General Public License v3.0
268 stars 25 forks source link

Prevent "SubmitURL" from being Javascript #116

Closed damienfinck closed 6 months ago

damienfinck commented 6 months ago

The variable "SubmitURL" comes from the "action" attribute of the HTML "form" tag. This attribute can contain Javascript, for example <form action="javascript: submit()"> or other protocol like <form action="mailto:john@example.org">. We need to make a few basic checks to exclude these cases. I suggest checking the Scheme and Authority.

Other reason: The option "Return only best matching entries for an URL instead of all entries for the whole domain" doesn't work as expected when SubmitURL is Javascript. It's not logical to use Levenshtein's algorithm to compare a URL and Javascript.

smorks commented 6 months ago

thank you for these. will review and get them merged ASAP.