MEDIUM 6.1
GHSA-f246-xrrj-g8j6
Cross-site Scripting in markdown-it-highlightjs
Details
This affects the package markdown-it-highlightjs before 3.3.1. It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature.
```js const markdownItHighlightjs = require("markdown-it-highlightjs"); const md = require('markdown-it'); const reuslt_xss = md().use(markdownItHighlightjs, { inline: true }).render('console.log(42){.">js}'); console.log(reuslt_xss); ```
Are you affected?
Enter the version of the package you're using.
Affected packages
npm / markdown-it-highlightjs
Introduced in:
0 Fixed in: 3.3.1 Fix
npm install markdown-it-highlightjs@3.3.1