This repository has been archived by the owner on Jul 11, 2019. It is now read-only.
Potential remote arbitrary code execution #172
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi, I noted that here the message is directly used to set the value of the
innerHTMLfield of a DOM element without HTML sanitization. When rendered, the element will trigger an XSS injection that in Electron implies arbitrary js code execution (shell commands, etc).I said "potential" because I am not able to test the chat with anyone. We tried with 2 boxes on the same network but except the 1 peer connected status message we found no way to chat :(
The text was updated successfully, but these errors were encountered: