onionshare_cli is vulnerable to improper access control. The vulnerability allows a remote unauthenticated attacker to inject javascript or other external resources like fonts or images via Tor
network because it is not possible to configure this CSP for individual pages.