-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security concerns with z3-js boxes #62
Comments
My understanding of the issue after speaking with a security researcher:
|
If you enable code sharing, you'll expose yourself to execute malicious javascript on microsoft.github.io domain |
Now that we
eval
everyz3-js
snippet, the door to potential security attacks is opened.A possible scenario I could think of is that someone forks this repo, changes some
z3-js
content to be malicious, and hosts it on a public github page. Visitors of that page could have their information stolen through such malicious content.Pretty sure the official docusaurus website has some mechanism against it as there are executable and editable JS blocks too.
TODO:
The text was updated successfully, but these errors were encountered: