The current implementation allows for XSS in the title fields.
XSS in Electron allows to interact with the system api and execute applications or commands.
Markdown POC:
# sometitle <script type="text/javascript">window.top.require('child_process').execFile('/usr/bin/gnome-calculator',function(){});</script>
Fix:
Encode output before it is represented to the ui.
OWASP XSS Prevention Cheat Sheet
The current implementation allows for XSS in the title fields.
XSS in Electron allows to interact with the system api and execute applications or commands.
Markdown POC:
Fix:
Encode output before it is represented to the ui.
OWASP XSS Prevention Cheat Sheet