All: Security: Disallow EMBED tags to prevent XSS vulnerability

laurent22 · Sep 6, 2020 · 57d750b · 57d750b
1 parent fbe9669
commit 57d750b
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/ReactNativeClient/lib/joplin-renderer/htmlUtils.js b/ReactNativeClient/lib/joplin-renderer/htmlUtils.js
@@ -91,7 +91,7 @@ class HtmlUtils {
 		// that can break several plugins, such as Katex (which needs to load CSS
 		// files using a relative URL). For that reason it is disabled.
 		// More info: https://github.com/laurent22/joplin/issues/3021
-		const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base'];
+		const disallowedTags = ['script', 'iframe', 'frameset', 'frame', 'object', 'base', 'embed'];
 
 		const parser = new htmlparser2.Parser({