SiYuan has a SVG Sanitizer Bypass via Whitespace in `javascript:` URI — Unauthenticated XSS

SVG Sanitizer Bypass via Whitespace in javascript: URI — Unauthenticated XSS Summary SiYuan's SVG sanitizer SanitizeSVG checks href attributes for the javascript: prefix using strings.HasPrefix. However, inserting ASCII tab , newline , or carriage return characters inside the javascript: string...

GHSA-VP4F-WXGW-7X8X Improper Neutralization of Script in Attributes in @dcl/single-sign-on-client

Impact Improper input validation in the init function allows arbitrary javascript to be executed using the javascript: prefix ts SSO.init'javascript:alert"javascript successfully injected"' Patches This vulnerability was patched on version 0.1.0 Workarounds This vulnerability can be prevented if...