Electron and XSS: How Small Bugs Escalate to Big Problems

Eric Damtoft
DealerOn Dev
Published in
4 min readJan 25, 2019


Photo by Markus Spiske on Unsplash

Earlier this month, a colleague noticed some formatting issues going on in Azure Data Studio (formerly SQL Operations Studio). For background, Azure Data Studio is basically SQL Server Management Studio’s little sibling that’s meant to be a cross-platform application for running SQL queries and performing basic management tasks. It’s built with Electron and based on the same guts as the popular Visual Studio Code editor.

Normally, a formatting bug in a desktop app isn’t something to bat an eye over, but what was happening was that HTML in the database was somehow leaking outside of what should have been a text field and being rendered onto the page as formatted HTML.

HTML should be in its column as text, but ended up actually getting rendered to the page

Since an Electron app like Azure Data Studio is basically a web browser masquerading as a desktop app, this quickly raised concern about Cross Site Scripting (XSS). XSS happens when you can inject arbitrary HTML or JavaScript onto a page, either from server-generated content or from setting a raw string as innerHTML without proper escaping. Injected JavaScript on a login page or checkout page can easily steal sensitive information or take over an account. In general, although this can…