While editing a markdown file through the text app, users can create link elements that have a javascript URL such as javascript:alert(1)
.
Steps to reproduce:
javascript:alert(1)
.{F1060394}
{F1060397}
Note that CSP blocks the javascript from running, but browsers such as IE are still vulnerable.
{F1060402}
An attacker could execute arbitrary JavaScript code on the web browser of a victim who opens the file and clicks the malicious link.