Multiple Stored XSS

[soulfoodisgood]

[Description]
Multiple XSS payloads are available for znote. It leads to attacker's javascript execution

[Reproduce]
You can try with copy paste the payloads below:
1.

<svg>
<svg onload=alert(1)>

<iframe src=x onload=alert(1)>

[alagrede]

Hello @soulfoodisgood,
First of all, thank you for your report.
I'm trying to define the relevance of this issue.
Executing HTML/JS in the viewer it's originally a developer feature. It is the owner's responsibility to check the content of these notes.
I could probably prevent javascript execution without affecting HTML functionality and/or add a flag to manually allow javascript to run in files.
Thanks

[soulfoodisgood]

Please check https://medium.com/bugbountywriteup/remote-code-execution-through-cross-site-scripting-in-electron-f3b891ad637
XSS is dangerous for electron apps because once nodeIntegration set as true or it can be bypassed to get "require" available, it leads to remote code execution .

[alagrede]

Ok, for me. Thank you for drawing my attention to this point. I will provide a solution very soon.

[alagrede]

Fix in 0.5.3. It's coming on Windows/Mac App stores.