Affected versions of marked
are susceptible to a cross-site scripting vulnerability in link components when sanitize:true
is configured.
This flaw exists because link URIs containing HTML entities get processed in an abnormal manner. Any HTML Entities get parsed on a best-effort basis and included in the resulting link, while if that parsing fails that character is omitted.
For example:
A link URI such as
javascript֍ocument;alert(1)
Renders a valid link that when clicked will execute alert(1)
.
Update to version 0.3.6 or later.