Evaluating lines that contain HTML leads to XSS
MrMebelMan opened this issue · comments
Vladyslav Burzakovskyy commented
Evaluation of this string
'<iframe src="https://player.vimeo.com/video/148751763?title=0&byline=0&portrait=0&transparent=0&autoplay=1" width="640" height="480" frameborder="0" allow="autoplay; fullscreen" allowfullscreen></iframe>'
leads to iframe being injected in the logger window 🕺
I've found this after investigating why I can't see Player objects when executing print(Clock)
Here's the related PR that adds HTML escaping to both input and subprocess output: #13
Jonathan Giroux (Koltes) commented