Summary
A DOM clobbering vulnerability causes most script interactions with the Markdown viewer to fail with errors.
Details
Joplin's HTML sanitizer allows the name attribute to be specified. If name is set to the same value as an existing document property (e.g. querySelector), that property is replaced with the element.
See Wikipedia: DOM Clobbering.
PoC
- Create a note with the following content:
<img name=getElementById src=x/>
- Attempt to switch notes.
- Observe that the content of the original note is still visible.
- Observe that the console contains errors:
lib.js:217 Uncaught TypeError: document.getElementById is not a function
Impact
This vulnerability's only known impact is denial of service — the note viewer fails to refresh until closed and re-opened with a different note.
personalizedrefrigerator Reporter
Summary
A DOM clobbering vulnerability causes most script interactions with the Markdown viewer to fail with errors.
Details
Joplin's HTML sanitizer allows the
nameattribute to be specified. Ifnameis set to the same value as an existingdocumentproperty (e.g.querySelector), that property is replaced with the element.See Wikipedia: DOM Clobbering.
PoC
lib.js:217 Uncaught TypeError: document.getElementById is not a functionImpact
This vulnerability's only known impact is denial of service — the note viewer fails to refresh until closed and re-opened with a different note.