Sanitization bypass using HTML Entitiesmarked
Affected versions of
marked are susceptible to a cross-site scripting vulnerability in link components when
sanitize:true is configured.
Proof of Concept
This flaw exists because link URIs containing HTML entities get processed in an abnormal manner. Any HTML Entities get parsed on a best-effort basis and included in the resulting link, while if that parsing fails that character is omitted.
A link URI such as
Renders a valid link that when clicked will execute
Update to version 0.3.6 or later.
publishedAdvisory publishedApr 18th, 2016
reportedInitial report by Matt AustinApr 18th, 2016