codeworld icon indicating copy to clipboard operation
codeworld copied to clipboard

Published 20 hours ago verified publisher icon google

XSS

Open NDevTK opened this issue 3 years ago • 1 comments

It seems normally code is run in a sandboxed iframe https://github.com/google/codeworld/issues/1193 but you can still get XSS via a link.

https://code.world/doc.html?path=data:text/html,%3Cimg%20src%20onerror=%22alert(window.origin)%22%3E%3C/img%3E

https://code.world/gallery.html?path=data:text/html,%7B%22items%22:%5B%7B%22name%22:%22Click%20me%22,%22url%22:%22javascript:alert(window.origin)%22%7D%5D%7D (Needs click but no embed protection)

Im not sure whats considered a risk maybe this is allowed also the security policy for this repo is https://github.com/google/codeworld/security/policy and google probably wont respond to reported issues.

NDevTK avatar Jul 12 '22 10:07 NDevTK

To clarify, CodeWorld is my personal project. In the past, I was a Google employee, and because of internal company process, it was easier to release it on Google's GitHub account. This isn't an official Google project, though.

Thanks for the bug report.

cdsmith avatar Jul 12 '22 19:07 cdsmith