Feature: Extras > Mathematical Typesetting enabled.
User interaction: Access vulnerable page || diagram and wheel click on a link.
The Mathematical Typesetting feature allows to use inline content such as AsciiMath
or LaTeX
. Using it allows you to create a
tag via \href macro. By default, it allows you to use dangerous wrappers like javascript:
which permits on click XSS. (wheel click in draw.io context)
Step 1: Enable Mathematical Typesetting.
Step 2: Copy | Past $$\href{javascript:alert()}{CLICK}$$
in the diagram.
Step 3: Wheel click on the link.
Check Requierements section if it’s not working.
Use ui/safe extension which prevents several security risks such as javascript
wrapper in the href
attribute.