Hello @soulfoodisgood,
First of all, thank you for your report.
I'm trying to define the relevance of this issue.
Executing HTML/JS in the viewer it's originally a developer feature. It is the owner's responsibility to check the content of these notes.
I could probably prevent javascript execution without affecting HTML functionality and/or add a flag to manually allow javascript to run in files.
Thanks
[Description]
Multiple XSS payloads are available for znote. It leads to attacker's javascript execution
[Reproduce]
You can try with copy paste the payloads below:
1.
<iframe src=x onload=alert(1)>The text was updated successfully, but these errors were encountered: