Cross-site Scripting (XSS) - Reflected in tagspaces/viewerText

Valid
Reported on May 18th 2021

✍️ Description

viewerText used within the Tagspaces to show a preview of text files is vulnerable to cross site scripting.

🕵️‍♂️ Proof of Concept

If any HTML is feeded to setContent function:

setContent("<script>alert('xss');</script>)

It appends it to the dom without any filteration:

$textContent.empty().append(content);

💥 Impact

This vulnerability is capable of manipulating DOM and running arbitrary JavaScript. As tagspaces is an electron application and uses this library in its core, I utilized this to gain code execution which is disclosed here