Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
XSS and IFrame Injection Issues on v1.0.104 #740
I planned to use Coordinated and Responsible Disclosure mechanism, but I saw your guideline here about how to report a bug and I decided to follow it. Maybe the guideline need to be revised to prevent any misunderstanding in the future.
All my previous payloads are non-intrusive. Maybe you are still not completely fix issue #500 since I can still trigger the JS alerts although I cannot prove any user data could be stealed.
HTML support is a feature, not a bug and while you can indeed add a lot of random broken things in a note via HTML it's not proven that it can be exploited to either access the user system or view/change user data. Any access from HTML to Joplin or to the system is filtered (via a white list) so normally it's not possible to call arbitrary functions.
I'm not saying there's definitely no security issue but the above post doesn't prove there is one, and I can't think how the feature can be exploited so for now I'm closing the issue.