https://bugs.documentfoundation.org/show_bug.cgi?id=121711
Michael Stahl (allotropia) <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] | |om, | |[email protected] Summary|FILEOPEN: LibreOffice |FILEOPEN: LibreOffice |apparently executes |automatically loads remote |embedded website code |URL from floating-frame --- Comment #12 from Michael Stahl (allotropia) <[email protected]> --- the document contains these floating frames which were originally IFrames in the HTML, and just like IFrames in HTML they are automatically loaded from the URL. <draw:floating-frame xlink:href="http://platform.twitter.com/widgets/tweet_button.d73d0c4cb6af3df0ea22b7c11dbc87d2.de.html#...";> this behavior was eventually reported in a different venue and now we have: https://www.libreoffice.org/about-us/security/advisories/cve-2023-2255/ "In versions >= 7.4.7 (and >= 7.5.3) the existing "update link" manager has been expanded to additionally control the update of the content of IFrames, so such IFrames will not automatically refresh their content unless the user agrees via the prompts." so perhaps this bug is fixed now? (in any case, no embedded JavaScript code is executed) it is very unclear what this would have to do with the commit of comment #8 though as no SVG file appears to be involved. -- You are receiving this mail because: You are the assignee for the bug.
