Restore A9 Insecure Components vulnerability
rcowsill opened this issue · 6 comments
The A9: Insecure Components vulnerability tutorial refers to the use of an insecure version of the Marked library, making the memos page vulnerable to XSS.
It appears that the project was upgraded to use marked 0.3.9, which fixed this vulnerability. This means none of the example exploit strings in the tutorial result in a successful XSS attack.
I think the package.json needs to specify marked 0.3.5, as that is the last version with the XSS vulnerability.
Note that this is also relevant to PR #169, which currently specifies the 0.3.9 version instead of 0.3.5.
@rcowsill Thanks for reporting the issue. 👍
You are right about it. Will will add it in our backlog. In case you have bandwidth, we will be happy to merge a PR with the required fix.
Would you want that PR from a feature branch in a fork of master?
As discussed in #206, I'm going to add a test to confirm this vulnerability is present and functioning as expected. PR for that to follow...
ahh, I didn't even notice it's not PRed to the master branch
@UlisesGascon can you advise?