Severity: high

Sanitization bypass using HTML Entities



Affected versions of marked are susceptible to a cross-site scripting vulnerability in link components when sanitize:true is configured.

Proof of Concept

This flaw exists because link URIs containing HTML entities get processed in an abnormal manner. Any HTML Entities get parsed on a best-effort basis and included in the resulting link, while if that parsing fails that character is omitted.

For example:

A link URI such as


Renders a valid link that when clicked will execute alert(1).


Update to version 0.3.6 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Apr 18th, 2016
  2. reported

    Initial report by Matt Austin
    Apr 18th, 2016