I wonder if javascript in notes is run by any client out there.
Discussion
been waiting for some novice client to be xss’d for a bit now tbh
Immediate XSS if so, secrets exfil trivial after that
Just around the time Jack joined, a few web apps did and it was a major security issue. A few people exploited it, some accounts were exposed, and a few web apps were taken down and/or modified to prevent it happening.