anki/SECURITY.md

28 lines
1.1 KiB
Markdown
Raw Permalink Normal View History

2021-09-22 14:55:19 +02:00
# Security Policy
## Reporting a Vulnerability
Anki does not currently have a bug bounty program, but if you have discovered a
security issue, a private message on our support site would be greatly
appreciated. No account is required to post a message:
https://anki.tenderapp.com/discussion/new
## FAQ
### Javascript on Cards/Templates
Anki allows users and shared deck authors to augment their card designs with
Javascript. This is used frequently, so disabling Javascript by default would
likely break a lot of the shared decks out there. That said, the default may be
changed in the future.
The computer version has a limited interface between Javascript and the parts of
Anki outside of the webview, so arbitrary code execution outside of the webview
should not be possible.
AnkiWeb hosts its study and editing interface on a separate ankiuser.net domain,
so that malicious Javascript on cards can not trigger endpoints hosted on the
main site. If you've found that not to be the case, or found an instance of JS
not being filtered on the main site, please let us know.