XSS vulnerability

Question

cosad3s opened this issue 4 years ago · 3 comments

Hello,

I have identified an XSS vulnerability on the last version of ngx-markdown-editor (3.3.2 - Last commit 783fe2d).

Payload :

Previewed as:

The XSS:

Answer 1 · 2021-04-13T10:42:07.000Z

You can set this markedjsOpt.sanitize to true. That's can prevent this.

Answer 2 · 2021-04-13T10:54:43.000Z

The option is already set to true.
It blocks other payloads, but not this one.
I used the preconfigured "demo" subfolder from this repository.

Answer 3 · 2021-04-15T00:56:10.000Z

Please using 3.3.3. This version has been fixed this issue.