Versions 1.4.0 and earlier of remarkable
are affected by a cross-site scripting vulnerability. This occurs because vulnerable versions of remarkable
did not properly deny link protocols, and consequently allowed javascript:
to be used.
Markdown Source:
[link](<javascript:alert(1)>)
Rendered HTML:
<a href>link</a>
Update to version 1.4.1 or later