I found a stored XSS in the slideshow feature of Hedgedoc. It was the preview release, so no CVE (or patch), but here's the writeup anyway! 🦔
cryptocat.me/blog/researc...
Root cause analysis of a stored XSS in HedgeDoc 2's slideshow renderer, where a Reveal data-background-iframe attribute carrying a javascript: URL survives DOMPurify and is later loaded as an iframe s...
