Cross-Site Scripting in mermaid

Published: Sep 2, 2020
Updated: Apr 14, 2023
GHSA: <a href="https://github.com/advisories/GHSA-w32g-5hqp-gg6q" target="_blank" rel="noopener"> GHSA-w32g-5hqp-gg6q
Severity: High
Exploit:

Versions of mermaid prior to 8.2.3 are vulnerable to Cross-Site Scripting. If malicious input such as A["<img src=invalid onerror=alert('XSS')></img>"] is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding.