Description

Hi,Maintainter
You submitted a fix in the latest version 0.9.0 with commit c07b4a.But after many tests, I found that this is still not 100% safe.You have set a very simple csp , which can be bypassed.

Video link

link

https://drive.google.com/file/d/1glQfxLs6pZP6B87cYlIFf7LmLT9Z4oz5/view?usp=share_link

Steps

1.Create a js file named ‘123.js’.And the contents are as follows.

alert('/xss/')

2.Click the resource section to upload our js file.And we need to copy the path of the js file.For example,the path is

 https://demo.usememos.com/o/r/20/123.js.This path will be used in the following html file

3.Create a html file named ‘hello.html’.And the contents are as follows.

Please note that the content of src is the second half path of the js file we just uploaded

<script src='../20/123.js'></script>     //The value of src depends on the path of the js file

4.Finally,preview the hello.html.

My suggestion is to use more secure csp.Or you have a better way.I hope we can make this project better.And the following are my suggestions.

Content-Security-Policy:
  object-src 'none';
  script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
  base-uri 'none';
  report-uri https://your-report-collector.example.com/