XSS due to misconfigurations

### Vulnerability Details

Hi, I want to report a possible XSS due to a misconfiguration in `markmap-lib`. The following configuration will render user input as HTML

https://github.com/markmap/markmap/blob/205367a24603dc187f67da1658940c6cade20dce/packages/markmap-lib/src/markdown-it.ts#L7-L11

This can allow a malicious attacker to specify a malicious HTML payload, such as

```html
<img src=x onerror=alert(window.origin)>
```

You can verify this vulnerability exists by navigating to [the `markmap` REPL](https://markmap.js.org/repl) and type the following payload

```markdown
- xss: <img src=x onerror=alert(window.origin)>
```

An alert box should pop up with the domain of the website, indicating a XSS vulnerability

<img width="3002" height="484" alt="Image" src="https://github.com/user-attachments/assets/d28836a0-8749-4712-b0d2-f471fbe626d6" />

This also leads to a XSS vulnerability in another application that uses `markmap-lib`, which can be found in this [issue](https://github.com/hackmdio/codimd/issues/1933)

### Mitigation

Markmap can sanitize the final HTML input from the user, or restrict the HTML tags that can be specified inside the markdown

	export function initializeMarkdownIt() {
	const md = MarkdownIt({
	html: true,
	breaks: true,
	});

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

XSS due to misconfigurations #333

Vulnerability Details

Mitigation

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

XSS due to misconfigurations #333

Description

Vulnerability Details

Mitigation

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions