Open emckerrow1 opened 7 months ago
webfashionist
commented
7 months ago Hi @emckerrow1
Thank you for your notice. However, I do see a problem in cases where a script tag should be added to include widgets or other embeds.
Simply disallowing the script tag does not seem to be the solution.
Do you have a specific fix in mind?
emckerrow1
commented
7 months ago Hi @webfashionist
Apologies, I have not had a chance to look for a more specific fix, directly for the plugin.
The best solution is to use sanitization, where appropriate. However, if this is not possible, it is worth documenting this issue, ensuring the developer using the plugin, mitigates any potential malicious payloads and tailors script execution for their needs. I suggest they use a library like DOMPurify for user input sanitization and apply a CSP (Content Security Policy).
Sorry I cannot be more helpful at this time. I will let you know if I come up with an exact solution.
Describe the problem
When adding a payload to the edit HTML code editor after clicking the 'Show HTML code' button; the payload will execute (see screenshot).
What did you expect?
Validation to be applied that allows only expected tags and attributes.
What version and browser are you using?
Version: v1.1.0 Browser and version: Brave 1.64.116 Chromium: 123.0.6312.105 (Official Build) (64-bit)
Reproducible test case
<script>console.log(document.cookie)</script>