XSS Due to insufficient checks on the external resources

[kahla-sec]

Describe the bug

The memos application allows users to add resources from an external link. It was found that there are no checks on the added link, thus allowing a malicious user to introduce links starting with javascript: scheme . If the user creates a public note with an external resource pointing to a malicious link javascript:alert(1), it would be possible to achieve XSS and steal the other users private notes or impersonate their accounts .
It's advised to only allow external resources that are served from https:// websites in order to mitigate this vulnerability.

Steps to reproduce

1- Create a resource and choose External Link
2- Type the following link: javascript:alert(document.domain)
3- Choose the type as application/* and add the resource
4- Now create a new public note and add the malicious external resource
5- If a user or the admin clicks the external resource, the malicious JS code will be executed on their behalf

Screenshots or additional context

No response

[kahla-sec]

Any answer from the maintainers ?
@boojack Maybe you can help regarding this :)

[boojack]

@kahla-sec Thanks so much. We will fix this as soon as possible.

[kahla-sec]

Thanks a lot! I'll be glad to retest it when it's done!