VDB
KO
MEDIUM 6.1

GHSA-f246-xrrj-g8j6

Cross-site Scripting in markdown-it-highlightjs

Details

This affects the package markdown-it-highlightjs before 3.3.1. It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature.

```js const markdownItHighlightjs = require("markdown-it-highlightjs"); const md = require('markdown-it'); const reuslt_xss = md().use(markdownItHighlightjs, { inline: true }).render('console.log(42){.">js}'); console.log(reuslt_xss); ```

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / markdown-it-highlightjs
Introduced in: 0 Fixed in: 3.3.1
Fix npm install markdown-it-highlightjs@3.3.1

References