fix: error message XSS vulnerability by catnose99 · Pull Request #22 · goessner/markdown-it-texmath

catnose99 · 2020-09-21T01:12:34Z

There is a XSS vulnerability around error handling.
Here are some examples.

$$"<img/src=./ onerror=alert(location)>
e^{i\theta} = i\sin\thetae^{i\theta}
$$

$$
e^{i\theta"<img/src=./ onerror=alert(location)>} = \cos\theta + i\sin\thetae^{i\theta} 
$$

I made a change to escape tex string.

Thank you!

snoopysecurity · 2020-11-19T18:13:43Z

Hey @goessner, any chance you could review this PR and fix this XSS issue?

goessner · 2021-05-24T15:56:00Z

Hi @catnose99 ... thanks for fixing that critical vulnerability ... sorry for lasting so long, to be able to get active here again.

--

sg

fix: error message XSS risk

f9bd09e

catnose99 changed the title ~~fix: error message XSS risk~~ fix: error message XSS vulnerability Sep 21, 2020

goessner merged commit 596f786 into goessner:master May 24, 2021

Provide feedback