Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added data: and vbscript: link fix to prevent XSS vulnerability #63

Merged
merged 1 commit into from Mar 14, 2019

Conversation

Projects
None yet
2 participants
@jedixak
Copy link
Contributor

commented Mar 14, 2019

Cross-site Scripting (XSS) via Data or Vbscript URIs.
The following markup [link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnaGknKTwvc2NyaXB0Pg==) produces <script>alert('hi')</script>.

@ariabuckles

This comment has been minimized.

Copy link
Contributor

commented Mar 14, 2019

Thanks! This looks great. I’ll deploy a version with these changes later today

@ariabuckles ariabuckles merged commit 8ad751f into Khan:master Mar 14, 2019

ariabuckles added a commit that referenced this pull request Mar 14, 2019

@ariabuckles

This comment has been minimized.

Copy link
Contributor

commented Mar 14, 2019

Published simple-markdown@0.4.4 with these changes. Thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.