Popup window on enable and startup about obsidian-omnisearch HOT 3 CLOSED

• Does the problem appear when Omnisearch is the only enabled plugin?
  • If not, what are the other enabled plugins?

I don't have this issue, and Omnisearch itself definitely doesn't alert() anything. I first thought that you might have a note with some HTML & JavaScript that was triggered during indexing, but that doesn't seem to be that. If you can't locate the incompatible plugin(s), could you send me your plugins list?

Thank you

from obsidian-omnisearch.

Hi, thanks for the prompt response.

It does happen when I only have the plugin as well.

However, when I created a totally new vault, copied the plugin and paste it there, it doesn't do a popup.
Does the plugin read the notes on startup? Maybe I have one note somewhere which does alert() and the plugin reads it and renders it?

So after adding my notes folder one by one, and trying to replicate the error, I found that as soon as I copied in my notes the popup would appear. Then I used that to narrow down the note that I have, and down to the specific line, line number 5.

I narrowed it down to this file, where I kept a list of command injection payloads and xss payloads. My other payloads have been removed from this file, as it doesn't cause the popup.

If your plugin is disabled, it won't spawn a popup, but when it is enabled, and I copied the note into the vault, it will popup. It seems like your plugin might be vulnerable to XSS, which is weird because the payload is in code format.

\```

echo '<img src=https://crowdshield.com/.testing/xss.js onload=prompt(2) onerror=alert(3)></img>'// XXXXXXXXXXX

\```

(note: please remove the leading slash as I cannot escape the nested triple ticks on the github flavour markdown.)

from obsidian-omnisearch.

Yep that's it, thanks for your investigation!

I'll add a sanitization step asap, before the notes indexing.

from obsidian-omnisearch.