CVE-2014-10065

描述

Versions 1.4.0 and earlier of `remarkable` are affected by a cross-site scripting vulnerability. This occurs because vulnerable versions of `remarkable` did not properly whitelist link protocols, and consequently allowed `javascript:` to be used. ### Proof of Concept Markdown Source: ``` [link](<javascript:alert(1)>) ``` Rendered HTML: ``` <a href="javascript:alert(1)">link</a> ``` ## Recommendation Update to version 1.4.1 or later

受影響套件(1)

• npm/remarkablefrom 0, < 1.4.1

參考連結(4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-10065
• WEBhttps://github.com/jonschlinkert/remarkable/commit/d54ed887f4997221cd7cb9790e953a83c504de36
• WEBhttps://github.com/jonschlinkert/remarkable/issues/97
• WEBhttps://www.npmjs.com/advisories/30