Skip to content

Filter <meta> tags from notes #404

New issue
New issue
Open
Open
Filter <meta> tags from notes#404
Labels
priority:highThis is a high-priority issueproject:jsThis affects the js UItag:securityThis is a security issue (encryption problem, data leak, etc)type:bugGET THE RAID
Milestone
 
v0.7.3
@orthecreedence

Description

@orthecreedence
orthecreedence
opened on Dec 13, 2021

Notes allow <meta> tag injection. Ie, a note with the content

<META HTTP-EQUIV="refresh" CONTENT="0; URL=https://google.com">

opens a new browser window to Google. While this problem would happen over person-to-person sharing and thus the severity is limited (because you generally only share with those you trust) it remains high priority.

Special thanks to Rafay Baloch and Muhammad Samak for this report.

Metadata

Assignees

No one assigned

    Labels

    priority:highThis is a high-priority issueproject:jsThis affects the js UItag:securityThis is a security issue (encryption problem, data leak, etc)type:bugGET THE RAID

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions