EPSS
Percentile
34.0%
joyqi/hyper-down is vulnerable to cross-site scripting (XSS). The library does not properly escape the href attribute in Parser.php, which allows a remote attacker to inject and execute malicious JavaScript.
href
Parser.php
http:
github.com/advisories/GHSA-4r9g-w48q-8jwm
github.com/segmentfault/HyperDown/blob/2.4.26/Parser.php#L421
github.com/segmentfault/HyperDown/commit/7b3bf90d163e624ad980339ad54b5fe0d85930ea#diff-1a7c1850f88287936713a7072af9331818e14581fc71feed100c41e1747593ceR427