Skip to content

XSS vulnerability #4

Erreinion opened this Issue Aug 30, 2012 · 2 comments

2 participants


by adding:
I can reliably redirect WorkFlowy when exporting or drilling down into the note.

There is no issue if the code is surrounded by `` or when the extension is disabled.

medovob commented Sep 3, 2012

Thanks. I think its been assumed that all notes will come from a trusted source but given the ability to share and publish lists, this can't be assured. Have you any suggestions to remove this vulnerability?

Perhaps a sanitizer like Caja?


There are a few libraries that you can use.


Check out OWASP's "XSS CheatSheet" for more tips and approaches:

@medovob medovob closed this in bdeaf41 Sep 4, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.