Filter <meta> tags from notes

Question

Filter <meta> tags from notes

orthecreedence opened this issue 3 years ago · 2 comments

Notes allow <meta> tag injection. Ie, a note with the content

<META HTTP-EQUIV="refresh" CONTENT="0; URL=https://google.com">

opens a new browser window to Google. While this problem would happen over person-to-person sharing and thus the severity is limited (because you generally only share with those you trust) it remains high priority.

Special thanks to Rafay Baloch and Muhammad Samak for this report.

Answer 1 · 2022-07-26T06:31:50.000Z

can i work on this?

Answer 2 · 2022-07-26T13:59:12.000Z

Yeah, please do! This would be a good kick in the pants for me to do a security release. If you need any help getting the app set up, let me know.