Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Marked XSS Vulnerability

See original GitHub issue

Please consider adding an html santizer for Marked.js, as the it is vulnerable to XSS attacks. For example, create a markdown file with the following line: <img src=x onerror=prompt(404)>, then open the rendered file - you should get an error prompt. Recommended solution (by Marked.js) is to use a sanitizer such as DOMPurify.

Issue Analytics

  • State:closed
  • Created a year ago
  • Reactions:1
  • Comments:9 (5 by maintainers)

github_iconTop GitHub Comments

Cveinntcommented, May 30, 2022

I don’t think there’s a problem with the website itself, though if someone forked the repo and made a website that contains malicious scripts, it could be potentially dangerous, so this is simply a suggestion to make the project a bit safer 😃

Read more comments on GitHub >

github_iconTop Results From Across the Web

Fixing `marked` XSS vulnerability - Snyk
This post explains the vulnerability, shows how to exploit it on a sample app, and explains how to fix the issue in your...
Read more >
Markdown's XSS Vulnerability (and how to mitigate it) - GitHub
Cross-Site Scripting (XSS) is a well known technique to gain access to private information of the users of a website. The attacker injects...
Read more >
Exploiting XSS via Markdown - Medium
Here's a short article on how I came across the vulnerability and set about crafting an exploit. Enjoy! What is markdown? Markdown is...
Read more >
Marked Project Marked : List of security vulnerabilities
# CVE ID CWE ID Vulnerability Type(s) Publish Date Update Date Score Gaine... 1 CVE‑2022‑21681 DoS 2022‑01‑14 2022‑11‑16 5.0 None 2 CVE‑2022‑21680 400 DoS 2022‑01‑14...
Read more >
Fixing an XSS vulnerability in marked - Ponyfoo
Earlier this year my team at Snyk added an interesting Cross-Site Scripting (XSS) vulnerability to our database, in the popular marked ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found