Skip to content

fix: xss in link toolbar and file download #1060

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Sep 11, 2024

Conversation

zeyu2001
Copy link
Contributor

@zeyu2001 zeyu2001 commented Sep 8, 2024

There is an XSS vulnerability in the file upload and link toolbar features.

To reproduce, create a file embed or a link with javascript:alert(origin). Click on the download / open button, and alert(origin) will be run in the user's browser.

image

This fixes the XSS vulnerability by providing a sensible default when the protocol is javascript:.

Copy link

vercel bot commented Sep 8, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated (UTC)
blocknote ✅ Ready (Inspect) Visit Preview Sep 9, 2024 3:30pm
blocknote-website ✅ Ready (Inspect) Visit Preview Sep 9, 2024 3:30pm

Copy link

vercel bot commented Sep 8, 2024

@zeyu2001 is attempting to deploy a commit to the TypeCell Team on Vercel.

A member of the Team first needs to authorize it.

@YousefED
Copy link
Collaborator

YousefED commented Sep 9, 2024

Thanks @zeyu2001 , great spot. What are you using BlockNote for?

@zeyu2001
Copy link
Contributor Author

zeyu2001 commented Sep 9, 2024

We're building a collaborative note taking app that has publishing features similar to notion - so for us it's important that content rendered in another user's browser doesn't contain dangerous links

Copy link
Collaborator

@matthewlipski matthewlipski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

@matthewlipski matthewlipski merged commit dce1d03 into TypeCellOS:main Sep 11, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants