Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Marked XSS Vulnerability
See original GitHub issuePlease consider adding an html santizer for Marked.js, as the it is vulnerable to XSS attacks.
For example, create a markdown file test.md with the following line: <img src=x onerror=prompt(404)>, then open the rendered file - you should get an error prompt.
Recommended solution (by Marked.js) is to use a sanitizer such as DOMPurify.
Issue Analytics
- State:
- Created a year ago
- Reactions:1
- Comments:9 (5 by maintainers)
Top Results From Across the Web
Fixing `marked` XSS vulnerability - Snyk
This post explains the vulnerability, shows how to exploit it on a sample app, and explains how to fix the issue in your...
Read more >Markdown's XSS Vulnerability (and how to mitigate it) - GitHub
Cross-Site Scripting (XSS) is a well known technique to gain access to private information of the users of a website. The attacker injects...
Read more >Exploiting XSS via Markdown - Medium
Here's a short article on how I came across the vulnerability and set about crafting an exploit. Enjoy! What is markdown? Markdown is...
Read more >Marked Project Marked : List of security vulnerabilities
# CVE ID CWE ID Vulnerability Type(s) Publish Date Update Date Score Gaine...
1 CVE‑2022‑21681 DoS 2022‑01‑14 2022‑11‑16 5.0 None
2 CVE‑2022‑21680 400 DoS 2022‑01‑14...
Read more >Fixing an XSS vulnerability in marked - Ponyfoo
Earlier this year my team at Snyk added an interesting Cross-Site Scripting (XSS) vulnerability to our database, in the popular marked ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Done https://github.com/DustinBrett/daedalOS/commit/cf5de2ac3366cdd3b02169e84d0ba04b690b5a33
I don’t think there’s a problem with the website itself, though if someone forked the repo and made a website that contains malicious scripts, it could be potentially dangerous, so this is simply a suggestion to make the project a bit safer 😃