Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism’s command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | node-prismjs | < 1.27.0+dfsg+~1.26.0-1 | node-prismjs_1.27.0+dfsg+~1.26.0-1_all.deb |
Debian | 11 | all | node-prismjs | < 1.23.0+dfsg-1+deb11u2 | node-prismjs_1.23.0+dfsg-1+deb11u2_all.deb |
Debian | 999 | all | node-prismjs | < 1.27.0+dfsg+~1.26.0-1 | node-prismjs_1.27.0+dfsg+~1.26.0-1_all.deb |
Debian | 13 | all | node-prismjs | < 1.27.0+dfsg+~1.26.0-1 | node-prismjs_1.27.0+dfsg+~1.26.0-1_all.deb |