Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
URGENT: Possible vulnerability to injection attacks
See original GitHub issueProblem: inserting arbitrary JavaScript into documents is possible, and it will execute. It also seems to cause the entire rest of the page to not render. The person with edit permission to the document cannot then remove the JS, because the edit field is also blanked out.
Solution: disable <script> tags. Do not allow execution of any JavaScript entered by the users.
For an example, try creating a new blank document, entering some dummy text, and then pasting this at the bottom:
<script> document.title = "The title"; </script>
Or, see this document (and its source, which is available).
Note that the title in your web browser changes.
Issue Analytics
- State:
- Created 6 years ago
- Reactions:2
- Comments:7 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I cannot see any legitimate reason to use JavaScript in a homebrewery document. Homebrewery is for building up pages that look high-quality like the D&D published books. There’s no room for dynamic content in that. All it does is increase the attack surface.
Closing because this appears to be solved.