Cross-Site Scripting

2018-04-24T15:37:51
ID NODEJS:587
Type nodejs
Reporter joker314
Modified 2018-04-24T15:41:02

Description

Overview

Versions of mrk.js before 2.0.1 are vulnerable to cross-site scripting (XSS) when markdown is converted to HTML.

Recommendation

Update to version 2.0.1 or later and use mark.sanitizeURL() for any src and href attributes when extending the markdown.

References