Electron and XSS: How Small Bugs Escalate to Big Problems

Eric Damtoft
Jan 25 · 4 min read
Photo by Markus Spiske on Unsplash
HTML should be in its column as text, but ended up actually getting rendered to the page
element.innerHTML = `<span title="${value}">...</span>`;
<span title=""><h1>Hello World</h1><span title="">...</span>
With node integration, what started out as an HTML formatting bug turned into shell access.

DealerOn Dev

On the DealerOn Dev Team, we strive to be the industry leader in code quality, innovation, and culture. Visit www.dealeron.com/join-our-team to learn more. The author’s views expressed in this publication are endorsed by DealerOn. The author’s views elsewhere may not be.

Eric Damtoft

Written by

Software Architect at DealerOn

DealerOn Dev

On the DealerOn Dev Team, we strive to be the industry leader in code quality, innovation, and culture. Visit www.dealeron.com/join-our-team to learn more. The author’s views expressed in this publication are endorsed by DealerOn. The author’s views elsewhere may not be.