XSS vulnerability

[htadashi]

The XSS vulnerability reported by @augustozanellato in ahrm/chrome-fastread#10 (comment) is also present on Jiffy reader.

[X140Yu]

The Chrome Store version does have this issue, but I tried with the latest master on the poc, and the issue has been fixed, need to furder confirm

[Cveinnt]

I have provided a hackish solution in that discussion, which uses a simple htmlescaper to prevent basic XSS. See more here. Let me know if anyone has a better solution!

[Explosion-Scratch]

I have provided a hackish solution in that discussion, which uses a simple htmlescaper to prevent basic XSS. See more here. Let me know if anyone has a better solution!

Hackish would be making a function that sets innertext of a created element then gets its HTML, regex is not hackish

[asieduernest12]

Resources
https://gomakethings.com/preventing-cross-site-scripting-attacks-when-using-innerhtml-in-vanilla-javascript/

[HuiiBuh]

I honestly am not even sure if there is a potential for a xss attack.
Something like <script>alert("asdf")script> always gets broken up and ends up like this.

In addition to that this regex \p{L} searches for letters.

jiffyreader.com/src/ContentScript/documentParser.js

Line 36 in a265fca

return sentenceText.replace(/\p{L}+/gu, (word) => {

And as far as I know there is no way to compose an xss attack with only special characters (But I might be wrong on this account) and not a single letter, because everything else (a mix of both) will be replaced with some custom <br-bold> elements in between.

[ansh]

Closing as not a concern at the moment.

Any proof of a genuine vulnerability will necessitate a re-opening of this issue.