* * *

Author Topic: Vulnerabilities of markdown desktop apps (Electron framework) vs classical  (Read 693 times)

tudi_x

  • Sr. Member
  • ****
  • Posts: 439
Vulnerabilities of markdown desktop apps (Electron framework) versus classical Lazarus desktop apps:
https://statuscode.ch/2017/11/from-markdown-to-rce-in-atom/

lainz

  • Hero Member
  • *****
  • Posts: 2496
  • I'm coding :)
    • Lainz
Re: Vulnerabilities of markdown desktop apps (Electron framework) vs classical
« Reply #1 on: November 25, 2017, 06:44:43 pm »
Vulnerabilities of markdown desktop apps (Electron framework) versus classical Lazarus desktop apps:
https://statuscode.ch/2017/11/from-markdown-to-rce-in-atom/

I hoped to see the word Lazarus somewhere in the article.

Already fixed so what's the problem again?
« Last Edit: November 25, 2017, 06:48:20 pm by lainz »

tudi_x

  • Sr. Member
  • ****
  • Posts: 439
Re: Vulnerabilities of markdown desktop apps (Electron framework) vs classical
« Reply #2 on: November 25, 2017, 06:56:02 pm »
the problem again is that the concept brings common web security issues to desktop apps.
some users of these apps are not aware of what lies under the hood.
« Last Edit: November 25, 2017, 06:58:09 pm by tudi_x »

lainz

  • Hero Member
  • *****
  • Posts: 2496
  • I'm coding :)
    • Lainz
Re: Vulnerabilities of markdown desktop apps (Electron framework) vs classical
« Reply #3 on: November 25, 2017, 07:07:01 pm »
That's true. Else such a severe bug will not be discovered.

But it does nothing with Lazarus I think. Lazarus open .md files as plain text, also not highlighted.

About XSS, we can't compare a compiled code vs a script code. I think that was your point of comparing it with Lazarus: Lazarus can never get a XSS by it's nature if you don't include a javascript or another scripting language on it (PascalScript, Lua, anything).

But if you do?

The same happens for WebView apps for Android, if you enable JavaScript your code is highlighted with a warning.

But in Lazarus we don't have the benefits of the web world. The web is a double edged sword.

 

Recent

Get Lazarus at SourceForge.net. Fast, secure and Free Open Source software downloads Open Hub project report for Lazarus