mirror of
https://github.com/FreshRSS/FreshRSS.git
synced 2026-02-05 19:11:06 -05:00
6549932d59
Related: https://github.com/FreshRSS/xExtension-Demo/pull/2, https://github.com/FreshRSS/FreshRSS/pull/7559#issuecomment-2858083635 Mostly to make sure that no one is able to break the demo instance But the issues below could possibly be exploited in other scenarios too: * Setting a theme like `../../lib/core-extensions/UserJS`: this directory contains `metadata.json` like themes do, so FreshRSS treats it as a theme after setting it and doesn't load any CSS * Setting a theme like `x dropdown-menu`: the `dropdown-menu` class was able to get injected into the `<body>` element since https://github.com/FreshRSS/FreshRSS/pull/7559 and turn every page blank