Overview
Versions 1.4.0 and earlier of remarkable are affected by a cross-site scripting vulnerability. This occurs because vulnerable versions of remarkable did not properly whitelist link protocols, and consequently allowed javascript: to be used.
Proof of Concept
Markdown Source:
[link](<javascript:alert(1)>)
Rendered HTML:
<a href="javascript:alert(1)">link</a>
Remediation
Update to version 1.4.1 or later
Have content suggestions? Send them to [email protected]
Advisory timeline
reported
Initial report by Adam BaldwinOct 17th, 2015published
Advisory publishedNov 13th, 2014
