Hi,
Recently we have discovered a vulnerability which allows execute a potentially harmful code in the plugin using
@startuml
Bob -> Alice : [[javascript:alert('test')]]
@enduml
OR
@startuml
component foo1 as "Click me!" [[javascript:alert(document.domain)]]
@enduml |
We updated plugin to version 6.59 but still vulnerability exists.
I found on the internet that The fixed version is 6.44 which is strange because we use a newer version and still exploit exists
Under this link (https://forum.plantuml.net/11084/javascript-hyperlinks-in-svg) we found a nice tip about environment variable but even when we set it explicitly to false it didn’t help.
Please Can you help me resolve that problem?