Hi,Maintainter
You submitted a fix in the latest version 0.9.0 with commit c07b4a.But after many tests, I found that this is still not 100% safe.You have set a very simple csp , which can be bypassed.
https://drive.google.com/file/d/1glQfxLs6pZP6B87cYlIFf7LmLT9Z4oz5/view?usp=share_link
1.Create a js file named ‘123.js’.And the contents are as follows.
alert('/xss/')
2.Click the resource section to upload our js file.And we need to copy the path of the js file.For example,the path is
https://demo.usememos.com/o/r/20/123.js.This path will be used in the following html file
3.Create a html file named ‘hello.html’.And the contents are as follows.
Please note that the content of src is the second half path of the js file we just uploaded
<script src='../20/123.js'></script> //The value of src depends on the path of the js file
4.Finally,preview the hello.html.
My suggestion is to use more secure csp.Or you have a better way.I hope we can make this project better.And the following are my suggestions.
Content-Security-Policy:
object-src 'none';
script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
base-uri 'none';
report-uri https://your-report-collector.example.com/