Brett on 06 Feb, 2018 06:47 PM
So do you have any suggestions on how to prevent this vulnerability?
Marked requires network requests to work with hosted resources, so
blocking outgoing requests isn't an option. I used to strip script tags
from documents automatically, but that stops people from loading their
own libraries like Mermaid and other tools. I'd be open to suggestions.
Brett on 06 Feb, 2018 08:31 PM
I don't think CSP is feasible in this case. But just removing/limiting
the preview function might be fair, I'm not sure many use that anyway.
What if when using the /preview handler, Marked stripped all scripts
from the input? I'd list it as a security feature, and I don't think
that in the use case for that query handler the functionality would be
Brett on 11 May, 2018 06:50 PM
I'm not sure how to go about updating the CVE, but as of 2.5.11 this issue is mitigated as discussed. Marked strips all <script> tags, and also parses out any on[Click/Load/mouse(enter|leave),etc.] attributes on tags.