I can reliably redirect WorkFlowy when exporting or drilling down into the note.
There is no issue if the code is surrounded by `` or when the extension is disabled.
Thanks. I think its been assumed that all notes will come from a trusted source but given the ability to share and publish lists, this can't be assured. Have you any suggestions to remove this vulnerability?
Perhaps a sanitizer like Caja?
There are a few libraries that you can use.
OWASP ESAPI (https://www.owasp.org/index.php/ESAPI)
Check out OWASP's "XSS CheatSheet" for more tips and approaches: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
sanitise generated html before adding to DOM - fixes #4