CVE-2017-1000492

An attacker can create or modify a note with a crafted title containing JavaScript code. When the victim views their starred notes list, the unsanitized title is rendered into the DOM via `Note.renderStars` [patch_id=6628355]. Because the Leanote desktop application has Node.js integration enabled, the injected script can escape the Electron renderer and execute arbitrary system commands, achieving full code execution. The attack requires the victim to have the malicious note appear in their starred notes view.

The vulnerability is in `public/js/app/note.js` in the `Note.renderNote` and `Note.renderStars` functions. The `Note.renderStars` function directly interpolates `note.Title` into a template string without sanitization, and `Note.renderNote` sets the note title into the DOM via `$("#noteTitle").val(title)` after only trivial HTML-entity replacement that does not prevent script injection.

The patch [patch_id=6628355] adds two changes. First, in `Note.renderNote`, the title is passed through a `replace(/&lt;/g, '<').replace(/&gt;/g, '>')` call before being set into the input field. Second, in `Note.renderStars`, the title is wrapped with a `trimTitle()` call before being interpolated into the template. These changes prevent raw HTML/JavaScript from being injected into the DOM, closing the XSS vector that could be escalated to code execution via Node integration.