I've not looked in detail, but I'm not so sure about the security of generating windows via URL parameters. I feel like there's an XSS in that for sure.
good point. What it passes via URL parameter is URL encoded JSON - which is parsed using JSON.parse()... so shouldn't expose an attack vector.
The alternative - creating about:blank windows and moving DOM elements into them comes with a wealth of glitches and restrictions
I realise that, but unless every piece of information in the JSON is dealt with caution (which I doubt from experience) it could be possible to put together an attack. Well, I should probably verify that myself.
Wow...impressive. Even though this is not so much a weakness o f Goldenlayout as rather the particular image component I use on the startpage. Still though, thanks. Remind me to hire you if I want to get back at someone.
Usually I work to prevent problems rather than create them but hey I could be the antagonist in someone's novel. I doubt that's not the only exploit in the library either. I could go through it with a finer toothed comb if you wanted.
I'd be forever grateful. I imagine this one to be quite tough since it's ultimately up to the user to create and read serializable state objects for their components.
Edit: there is https://golden-layout.com/?gl-window=%7B%22g%22%3A%5B%7B%22o...
Please don't chastise me for disclosure ethics, this one was low-hanging fruit.