Content injection in marked

Published: Feb 25, 2021
Updated: Apr 14, 2023
GHSA: <a href="https://github.com/advisories/GHSA-wjmf-58vc-xqjr" target="_blank" rel="noopener"> GHSA-wjmf-58vc-xqjr
Severity: Medium
Exploit:

Versions 0.3.7 and earlier of marked When mangling is disabled via option mangle don't escape target href. This allow attacker to inject arbitrary html-event into resulting a tag.