Will be patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player.
For more information
If you have any questions or comments about this advisory:
Impact
Inline scripts are executed when Javascript is parsed via a paste action.
<img src=null onerror=alert('hello')>into thechat field.
Patches
Will be patched in 0.0.9 by blocking
unsafe-inlineContent Security Policy and specifying thescript-src. Theworker-srcis required to be set toblobfor the video player.For more information
If you have any questions or comments about this advisory: