mirror of
https://github.com/streetwriters/notesnook.git
synced 2025-12-25 16:09:42 +01:00
7cdb13def6
This fixes a potential security vulnerability where pasting unknown content into the editor could create an RCE risk. This PR fixes two issues: 1. Potential RCE when pasting/inserting an `iframe` containing a `javascript` link. 2. Potential RCE when pasting/inserting an `svg` containing JavaScript (why do SVGs allow JS in the first place?). Mitigations include disallowing all execution of JS inside an SVG by rendering it in a sandboxed `iframe`. While we cannot disallow JS execution in embeds (that would break all embeds like YouTube videos), we have disallowed access to the parent window to all `iframe`s, again, by using a sandboxed `iframe` and by disallowing embedding of `javascript:` links. To be clear, both of these issues can only be triggered when pasting/importing untrusted content (which you shouldn't be doing anyway). **These cannot be used to steal or access your notes or any other data. They could be used to access what's shown in the window or do automated clicks etc. but since everything is stored and access from an encrypted SQLite database, your data would be 100% safe and isolated from such an attack.**