formiko icon indicating copy to clipboard operation
formiko copied to clipboard

Published 20 hours ago verified publisher icon ondratu

Default preview is vulnerable to XSS

Open oneschirm opened this issue 4 years ago • 2 comments

Issue: The default markdown preview pane in formiko is vulnerable to XSS and loading arbitrary external content.

Steps to reproduce:

  • Open a new instance of formiko
  • Check that application is set to "Both" for the view
  • Paste the below code in the editor:
<script>
localStorage.setItem('test','i guess it renders')
document.write(localStorage.getItem('test'));
</script>
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/XOJAddj_SJE?controls=0" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>```

oneschirm avatar Dec 12 '20 05:12 oneschirm

Thank's a lot, and very good point.

Problem is, that formiko use javascript for scrolling page at this moment. So this fix can't be so easy.

ondratu avatar Dec 15 '20 19:12 ondratu

One can set enable-javascript-markup to FALSE. This would effectively remove all JavaScript from the page while still allowing you to run webkit_web_view_run_javascript ().

johnfactotum avatar Mar 30 '21 08:03 johnfactotum