XSS
Closed this issue · 1 comments
Hi,
First at all, fantastic app, thanks a lot for your work.
I'd like to report an XSS vulnerability that could lead in security issues.
The use of innerHTML in notifications.js and many other files (grep -rnw . -e 'innerHTML') to display notifications/messages/etc is insecure.
Even tough innerHTML does not execute JavaScript, it does load iframes, so a malicious attacker could send you a WhatsApp message or similar with this structure:
<iframe src="http://evil.com"></iframe>
To remote execute code in your notification tab like for example to display an alert in my example:
Consider use or similar to scape any kind of user input and avoid this problems.
Thank you very much! :) Really appreciate the input! I've now fixed this! Let me know if you find any other issues, thanks again!