This PoC demonstrates that a malicious website can silently exfiltrate the complete content of a draw.io diagram using postMessage, without any origin validation or user consent.
Vulnerable URL:
https://embed.diagrams.net/?embed=1&proto=json