Dragging URLs from cross domain iframes deleted during the drag process may lead to user confusion and website spoofing attacks. This vulnerability affects Typora<=1.8.10. The html tag is
<iframe src="https://www.bing.com">test</iframe>
-
Download the lastest version of Typora from https://typora.io/.
The version when I downloaded was
1.8.10.
-
Use Typora to open or edit a markdown file.
For example, I created a file called “iframeTest.md” with typora.
-
Enter
<iframe src="https://www.bing.com">test</iframe>to let Typora parse the html tags, resulting in the execution of malicious html.When just entering the embed tag:
After Typora parses the iframe tag:
