z-------------
commented
3 years ago Thanks for the detailed issue description. This has already been fixed in 3cbb37cc020e4d362e2c616390a5c988f1e4e724. I have not created a new build that includes this fix.
Re. the potential vulnerability you suggest, links in episode descriptions already open externally and podcast descriptions are stripped of all HTML.
Re. donation, yes, that is the right link. I really appreciate your wanting to donate, but please be aware that I haven't touched CPod in a long time and I don't realistically see myself spending much more time on it in the future.
CPod version: 1.27.1
Platform: Linux
Installation type (.deb, Snap, etc.): AppImage
Description:
If I click the donate button in the app it opens in the app (because it's actually Electron running a webpage) and I can't get out: there's no back button. I also don't know what page I'm on because there's no way to see URLs in the sandboxed Electron environment, so I don't really want to try to donate through it, and even if I did I can't because it seems Electron has blocked loading external javascript. Furthermore, if, from that page, I click the Github icon on your description, I end up with two Electron windows, neither of them with back buttons.
Is there a way to make all links in Electron apps open externally? This seems like it could probably turn into a remote-code execution vulnerability, if someone could inject a link (maybe via a podcast feed? or by taking over or just posting on a forgotten webpage that you'd linked at some point?).
By the way, I do want to donate. Is https://www.buymeacoffee.com/zackguard the right link? Would you add it to the README here so that there's a backup way to it in the meantime?
Version of CPod which introduced the issue (if applicable):
Steps to reproduce:
Other information (e.g. Developer Tools console log, screenshots) if possible:
Here's the way I triggered it:
Here you can see the second window open, too: