Filter <meta> tags from notes
orthecreedence opened this issue · 2 comments
orthecreedence commented
Notes allow <meta>
tag injection. Ie, a note with the content
<META HTTP-EQUIV="refresh" CONTENT="0; URL=https://google.com">
opens a new browser window to Google. While this problem would happen over person-to-person sharing and thus the severity is limited (because you generally only share with those you trust) it remains high priority.
Special thanks to Rafay Baloch and Muhammad Samak for this report.
dbmohit commented
can i work on this?
orthecreedence commented
Yeah, please do! This would be a good kick in the pants for me to do a security release. If you need any help getting the app set up, let me know.