Описание
discord-html not escaping HTML code blocks when lacking a language identifier
Impact
Any website using discord-markdown with user-generated markdown is vulnerable to having code injected into the page where the markdown is displayed.
Patches
This has been patched in version 2.3.1
Workarounds
Escape the characters <>& before sending plain code blocks to discord-markdown.
References
Пакеты
Наименование
discord-markdown
npm
Затронутые версииВерсия исправления
< 2.3.1
2.3.1