From 1a195e23ddc5af8f2780b71cbb4c21f276e16c56 Mon Sep 17 00:00:00 2001 From: Henry Heino <46334387+personalizedrefrigerator@users.noreply.github.com> Date: Mon, 14 Oct 2024 09:51:28 -0700 Subject: [PATCH] Desktop: Security: Improve Markdown viewer link handling (#11201) --- packages/app-desktop/gui/note-viewer/index.html | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/packages/app-desktop/gui/note-viewer/index.html b/packages/app-desktop/gui/note-viewer/index.html index 374ad60ad..55531e1fd 100644 --- a/packages/app-desktop/gui/note-viewer/index.html +++ b/packages/app-desktop/gui/note-viewer/index.html @@ -733,6 +733,13 @@ })); document.addEventListener('click', webviewLib.logEnabledEventHandler(e => { + // Links should all have custom click handlers. Allowing Electron to load custom links + // can cause security issues, particularly if these links have the same domain as the + // top-level page. + if (e.target.hasAttribute('href')) { + e.preventDefault(); + } + document.querySelectorAll('.media-pdf').forEach(element => { if(!!element.contentWindow){ element.contentWindow.postMessage({