[kevsim]

Oh man, the use of <area> and <map> here is awesome. Not enough of a security guy to know if this is a typical approach, but it's devious.

I guess the moral of the story is try to not having place where arbitrary HTML is injected?

[missblit]

Yep. HTML is a huge surface, so just blocking "interesting" tags / attributes is fragile at best (Similar to misguided attempts to block SQL injection through string validation instead of cutting off the root cause).

The other moral of the story is you need to be extra careful to write a secure Electron program, since XSS is a bigger problem than it would be in a desktop browser. Step 3 shows that the RCE could execute programs outside of the JS environment.

[bawolff]

Yes, blacklisting html tags instead of whitelisting (or parsing into some abstract form and reserializing) is a world of pain and very hard to get right.

Additionally, csp/iframe have a sandbox flag that can prevent navigating the _top target, which may have prevented this exploit assuming it could have been used (dont know what the slack code looks like, maybe there was some reason it wasn't applicable)