Nervously Proposing Marriage
Severity: high

Content Injection



Versions 1.4.0 and earlier of remarkable are affected by a cross-site scripting vulnerability. This occurs because vulnerable versions of remarkable did not properly deny link protocols, and consequently allowed javascript: to be used.

Proof of Concept

Markdown Source:


Rendered HTML:

<a href="javascript:alert(1)">link</a>


Update to version 1.4.1 or later

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Nov 13th, 2014
  2. reported

    Initial report by Adam Baldwin
    Oct 17th, 2015