, this HTML wi...">
Hi,
Nice with the program launch! Congrats!
I noticed that there was a Share-icon when toggling to the Gallery-view of a directory under “Nextcloud Files”:
{F99938}
If your directory has a malicious name such as a HTML-payload: <img src>
, this HTML will run when clicking on the Share-icon:
{F99937}
I see that you have a proper CSP in place, but remember that Internet Explorer is not there yet:
{F99939}
Also, since any user could create files, a user could potentially execute this for an admin (if that admin is not using a CSP-supported browser that is).
Let me know if you need more information.
Regards,
Frans