XSS with HTML entities #592

Merged
merged 3 commits into from Jul 29, 2016

Projects

None yet
@matt-
Collaborator
matt- commented May 19, 2015

With the sanitize option on it is possible to create a link with a javascript: protocol with the following: [URL](javascript&#58document;alert(1)).

HTML entities in the browser are not strict and parse what they can and leaving the rest behind. For example &#xNNanything; would parse the NN hex values but leave behind the string "anything;".

"javascript&#58document;" with the regex /&([#\w]+);/ returns "58document" and is parsed by String.fromCharCode to "". Because of this the later tests only sees the javascript keyword without the :. However the browser parses this to: "javascript:document;".

@oparoz oparoz referenced this pull request in owncloud/gallery Sep 15, 2015
Merged

Protect users from gallery.cnf #308

@gscottolson

👍 This seems pretty significant.

@matt-
Collaborator
matt- commented Sep 24, 2015

I assume this project is dead. I cant see letting an XSS go for this long otherwise. I have moved to a new Lib in my project.

@matt-
Collaborator
matt- commented Jan 25, 2016

screenshot 2016-01-25 12 34 30

I created a fork and this PR, but the real solution is to use something else. I am recommending that the node security project mark this project as vulnerable and abandoned.
@alexkravets

@matt- any recommendation for alternatives?

@matt-
Collaborator
matt- commented Jan 25, 2016

https://github.com/jonschlinkert/remarkable has been great for me.

@alexkravets

@matt- thanks a ton!

@droppedoncaprica

That moment when you realize you didn't comment on an open issue, but rather an open PR. Whelp.

@uptownhr

when will this be pulled?

@dominicbarnes dominicbarnes added a commit to dominicbarnes/deku-forms that referenced this pull request Apr 20, 2016
@dominicbarnes dominicbarnes switch to remarkable for markdown rendering
marked has a pretty nasty XSS vulnerability, and doesn't appear to
be an active project anymore. (see chjj/marked#592)
bbf5ef8
@EthanRubinson

+1 Can this please be merged in so we can remove the advisory?

@oriweingart

+1

@zachmullen zachmullen added a commit to girder/girder that referenced this pull request Apr 25, 2016
@zachmullen zachmullen Switch from marked library to remarkable
The marked library that we were using to render markdown has been
abandoned by its creator and contains a critical XSS vulnerability.

chjj/marked#592
https://www.npmjs.com/package/remarkable
8b5eca6
@danactive

+1

@developit

@matt- Remarkable looks great (very very clean) but it's about 6x the size of Marked. For some use-cases (client-side) it seems like Marked would be preferable on those grounds (though for anything else I'm probably going to be using remarkable given the focus on performance).

@uptownhr

the question is, where is the repo maintainer?

@developit

Perhaps on vacation?

@drastick

+1

@drastick

Vacation for a year? Must be nice.

@emveeoh
emveeoh commented Jun 2, 2016 edited

@matt or anyone else... Any chance that you would be willing to help the Modernizr js (https://github.com/Modernizr/Modernizr) swap out its dependency from Marked to Remarkable? I'm too new at programming javascript to take on the task myself.

@timjrobinson
timjrobinson commented Jun 2, 2016 edited

This appears to be no longer reproducible. I believe the author fixed it and just ignored this PR. Can anyone still reproduce it with the latest version of Marked?

EDIT: I was mistaken, this is still valid. Just had some more post processing that was causing it to not be reproducible in my app.

@matt-
Collaborator
matt- commented Jun 3, 2016

"Latest commit 88ce4df on Jul 31, 2015" This issue is not resolved and has not been even been touched.

The exact example you gave is the XSS issue. (Put that HTML in a browser and click on it.) javascript: (in any form even with html entities) should be blocked in sanitize mode.

Example where marked works correctly:

> var md = require("marked");
> md.setOptions({sanitize: true})
> md("[URL](javascript:alert(1))");
'<p></p>\n'

Example this PR resolves with bad entities:

> var md = require("marked");
> md.setOptions({sanitize: true})
> md("[URL](javascript&#58document;alert&#40;1&#41;)");
'<p><a href="javascript&#58document;alert&#40;1&#41;">URL</a></p>\n'

If you think this is still some how resolved please read this blog to better understand the issue:
https://snyk.io/blog/marked-xss-vulnerability/

@matt-
Collaborator
matt- commented Jun 3, 2016 edited

From the first sentence in this PR: "With the sanitize option on" This lib has a sanitize mode that is intended to block normal HTML and prevent xss. https://github.com/chjj/marked#sanitize

It also filters "javascript:" and "vbscript:" as intended in this mode. This is an example of bypassing that with html entities.

Executing javascript (an XSS) is much MUCH worse than "plain old hyperlinks". This is an abandoned project with an open and very clear security issue.. not exactly what I consider FUD.

@mvhenten
mvhenten commented Jun 3, 2016

@matt- I was able to reproduce this in indeed. I may have been confused due to the fact that post-process links and images, mitigating this issue.

@timjrobinson
timjrobinson commented Jun 3, 2016 edited

@matt- sorry I work with @mvhenten and we thought it was resolved but it was only not affecting us due to post-processing. This is still a valid issue. Thanks for the test cases.

@mvhenten
mvhenten commented Jun 3, 2016

I've dropped an old-fashoned e-mail. maybe it helps.

@matt- matt- referenced this pull request in reactjs/react-tutorial Jun 3, 2016
Closed

Stored XSS in Mark Down #139

@rsp
Contributor
rsp commented Jun 7, 2016

@matt- You said that you made a fork - have you published in on npm? I agree with you that this module should never be used for any project if it has such a poor record of dealing with security issues, but there are already 1600 modules on npm that depend on it and having a version on npm with your patch applied would make it possible to quickly fix them (and who knows how many other modules that depend on those 1600) with a simple change of require('marked') to require('marked-secure') (or however your fork would be named) as a temporary fix before they can all be updated to use better markdown parsers.

Having a security vulnerability in at least 1600 modules on npm even though a fix has been available for over a year now but the maintainer can't be bothered to click a merge button is a serious problem. The project may be dead in a sense that its original author doesn't care about it any more but it's anything but dead when you consider its usage:


It's being used all over the place - including the official Node.js website - it has 1.5 million downloads per month and growing.

I found out about this issue today by a coincidence because I saw "dependencies: insecure" badge in the readme of the https://nodejs.org/ website's GitHub project, which was linked to the nodejs.org entry on david-dm.org that had a big red "SECURITY VULNERABILITIES IN DEPENDENCIES" and a link to the marked content-injection advisory on the Node Security Platform - which in turn included a link to this very pull request. If I hadn't clicked that badge I would probably never know about any security problems with that module - I would certainly never go through all the issues and PRs to find this one or #724 and know that this projects is dead and insecure, because there is not even a hint about any problem with that module in its readme on GitHub and npm

@ultrasaurus ultrasaurus added a commit to openopps/marked that referenced this pull request Jun 8, 2016
@ultrasaurus ultrasaurus xss HTML entity fix
With the sanitize option on it is possible to create a link with a javascript: protocol with the following: 
   [URL](javascript&#58document;alert&#40;1&#41;).

HTML entities in the browser are not strict and parse what they can and leaving the rest behind. For example &#xNNanything; would parse the NN hex values but leave behind the string "anything;".

"javascript&#58document;" with the regex /&([#\w]+);/ returns "58document" and is parsed by String.fromCharCode to "". Because of this the later tests only sees the javascript keyword without the :. However the browser parses this to: "javascript:document;".

from: chjj#592
Merge branch 'xss_html_entities' of github.com:matt-/marked
430a908
@rsp rsp and 1 other commented on an outdated diff Jun 9, 2016
lib/marked.js
@@ -1094,7 +1094,8 @@ function escape(html, encode) {
}
function unescape(html) {
- return html.replace(/&([#\w]+);/g, function(_, n) {
+ // explicitly match decimal, hex, and named HTML entities
+ return html.replace(/&(#(?:\d+)|(?:#x[0-9A-Fa-f]+)|(\w+))/g, function(_, n) {
@rsp
rsp Jun 9, 2016 Contributor

@matt- Shouldn't there be an optional semicolon in the regex so that unescape wouldn't leave the semicolons in the string if they are there?
I mean something like this:
/&(#(?:\d+)|(?:#x[0-9A-Fa-f]+)|(\w+));?/g
instead of:
/&(#(?:\d+)|(?:#x[0-9A-Fa-f]+)|(\w+))/g
or possibly with the third non-capturing group to be consistent with the first two:
/&(#(?:\d+)|(?:#x[0-9A-Fa-f]+)|(?:\w+));?/g

@matt-
matt- Jul 14, 2016 Collaborator

oops. yes that looks right to me. I will update the PR with tests for that.

@rsp
rsp Jul 15, 2016 Contributor

I posted a PR matt-/marked#1 for your xss_html_entities branch with that little change but with no tests yet. Let me know how you think the tests should look like so I'll add some. Thanks.

@tcurdt
tcurdt commented Jun 12, 2016

Especially @matt- please check out #756

@STRML
STRML commented Jun 14, 2016

Is there any precedent at npm for transferring an insecure package to a new maintainer who can be trusted to move the project forward? I would assume some sort of process would need to be in place in case of a disappearing/deceased/missing maintainer of any sufficiently popular package.

@tcurdt
tcurdt commented Jun 14, 2016

@STRML I believe there must be a process - but I am not aware of any. That said - have a look at #756. I guess we just need someone that steps up.

@chrisallenlane chrisallenlane added a commit to chrisallenlane/wit-cms that referenced this pull request Jun 19, 2016
@chrisallenlane chrisallenlane Deprecated `marked`
`snyk` reporting upon the following vulnerability in `marked`:

chjj/marked#592

While, practically speaking, that vulnerability would have not have
affected `wit-cms`, I chose to replace `marked` with `remarkable`
regardless.
2a0d636
@chrisallenlane chrisallenlane added a commit to chrisallenlane/wit-cms that referenced this pull request Jun 25, 2016
@chrisallenlane chrisallenlane Major refactoring
- Major architectural improvements
- Major improvements to unit-test suite
- Added native search capability

Squashed commit of the following:

commit a03c52f
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Jun 25 15:04:22 2016 -0400

    trivial README edit

commit 377025a
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Jun 25 14:30:16 2016 -0400

    init function

    The `wit` constructor now optionally accepts an `init` parameter, which
    will be invoked before the `wit` object is returned to the constructor's
    callback. This allows the user to do arbitrary pre-processing on the
    `wit` or `app` objects early not.

commit 9dc1fb5
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Thu Jun 23 15:49:09 2016 -0400

    README

commit f98e291
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Thu Jun 23 12:42:22 2016 -0400

    Removed snyk dependency

    It was causing build errors on some environments on travis.

commit 0565de6
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Thu Jun 23 12:30:07 2016 -0400

    Updated async route paths

commit ea09a42
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Thu Jun 23 11:20:35 2016 -0400

    misc comments

commit 546c3f6
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Thu Jun 23 11:17:50 2016 -0400

    misc comment corrections

commit 1f8519e
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Thu Jun 23 11:14:47 2016 -0400

    further xss protection

commit fcd6ce0
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Wed Jun 22 23:06:57 2016 -0400

    xss unit tests

commit 29c0639
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Wed Jun 22 22:26:02 2016 -0400

    changed post route and tests

commit 3cf7b0f
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Wed Jun 22 20:52:58 2016 -0400

    updated default configs and tests

commit c2eea80
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Wed Jun 22 20:47:51 2016 -0400

    sitemap and feed

    Repaired the sitemap and feed routes, which were being passed page
    locals that were wildly inconsistent with every other route.

commit b43f7ac
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Wed Jun 22 20:36:14 2016 -0400

    changed urls to prevent conflicts

commit 15dfa9b
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Wed Jun 22 13:03:11 2016 -0400

    pretty date format now configurable

commit 7d361d4
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Wed Jun 22 09:44:01 2016 -0400

    more async route tests

commit b2f835e
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Wed Jun 22 09:39:38 2016 -0400

    View tests

    Made minor improvements to the view unit-tests.

commit a6e75f8
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Wed Jun 22 09:20:41 2016 -0400

    renamed tests

    Renamed tests (internal test labels) to match updated file names.

commit 549c20f
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Wed Jun 22 09:15:43 2016 -0400

    search route tests

commit 6242493
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Tue Jun 21 17:10:21 2016 -0400

    page vars

    On "index" pages, `page.name` now contains more useful information (like
    query params, etc), rather than just duplicating information in
    `page.title`.

commit 502d7be
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Tue Jun 21 16:46:46 2016 -0400

    unit-tests for search

commit c9cfbcc
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Tue Jun 21 16:26:03 2016 -0400

    archive unit-tests

commit 8138cea
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Tue Jun 21 11:04:56 2016 -0400

    archive dates

    date information is now made available on the archive page

commit 442bd80
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Tue Jun 21 10:44:01 2016 -0400

    Removed the `really-need` module

    It was causing problems, so I kludged a few tests to spare the need for
    it.

    Squashed commit of the following:

    commit 13174163a741d341f51ec1b4421007d159288712
    Author: Chris Lane <chris@chris-allen-lane.com>
    Date:   Tue Jun 21 10:43:31 2016 -0400

        removed really-need

    commit 187c7dff221f33323bb96c2640d99e4d9766d868
    Author: Chris Lane <chris@chris-allen-lane.com>
    Date:   Tue Jun 21 10:41:51 2016 -0400

        removing really-need

    commit dbe535810689bb89ed1d70cfd5144e98bfb4c529
    Author: Chris Lane <chris@chris-allen-lane.com>
    Date:   Tue Jun 21 10:18:18 2016 -0400

        removing really-need

    commit 73673b4023b6da43d21cfdf84b988606241c955a
    Author: Chris Lane <chris@chris-allen-lane.com>
    Date:   Tue Jun 21 10:15:36 2016 -0400

        removing really need

    commit 847274f0ea9ed176968a402eee53d4890ded58e2
    Author: Chris Lane <chris@chris-allen-lane.com>
    Date:   Tue Jun 21 10:13:57 2016 -0400

        removing really-need

commit 65270e2
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Tue Jun 21 10:01:01 2016 -0400

    search boosts are now configurable.

commit ab707ed
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 20 22:21:11 2016 -0400

    Search refactor

    No longer caching posts internally to the search util.

commit f7f8e28
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 20 22:09:21 2016 -0400

    Moved files into `app` folder

    Makes things slightly more organized.

commit a8a6aea
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 20 22:03:22 2016 -0400

    Reorganized tests

    Subdirs were causing problems with `really-need` for some reason, so I
    just used prefixes for organization instead.

commit 08999e3
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 20 21:57:06 2016 -0400

    Revert "moving tests"

    This reverts commit da42d6b.

commit da42d6b
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 20 21:39:11 2016 -0400

    moving tests

commit b59642a
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 20 21:28:29 2016 -0400

    util folder

commit 083ba50
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 20 19:35:17 2016 -0400

    moving files

commit d650e45
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 20 19:19:59 2016 -0400

    moving files

commit 87decfd
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 20 19:18:35 2016 -0400

    moving files

commit b61c2d3
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 20 19:15:35 2016 -0400

    organizing files

commit 38b2219
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 20 18:55:13 2016 -0400

    Moved routes into dedicated folder.

commit d7dcd69
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 20 18:50:49 2016 -0400

    etc

commit d7ca2f7
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 20 18:19:14 2016 -0400

    archive refactor

commit dedb990
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 20 13:24:20 2016 -0400

    trivial

commit 1a4a789
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sun Jun 19 14:43:05 2016 -0400

    Config (async)

    Added a switch to the config that makes it possible to disable the async
    routes.

commit be5df9b
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sun Jun 19 14:34:15 2016 -0400

    markdown extensions are now configurable.

commit 2a0d636
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sun Jun 19 14:28:06 2016 -0400

    Deprecated `marked`

    `snyk` reporting upon the following vulnerability in `marked`:

    chjj/marked#592

    While, practically speaking, that vulnerability would have not have
    affected `wit-cms`, I chose to replace `marked` with `remarkable`
    regardless.

commit 91bda90
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sun Jun 19 12:49:13 2016 -0400

    various

commit 137fe78
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sun Jun 19 12:30:04 2016 -0400

    deleting comments

commit 6da622a
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sun Jun 19 12:26:31 2016 -0400

    404 page is now configurable

commit ba947b6
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sun Jun 19 12:12:16 2016 -0400

    config changes.

commit 6a851f5
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sun Jun 19 12:03:34 2016 -0400

    Fixed bad moment usage in tests.

commit ef8ce73
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sun Jun 19 11:53:26 2016 -0400

    async routes

commit f8133cd
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sun Jun 19 11:24:31 2016 -0400

    async routes and tests

commit 7d139ce
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Jun 18 17:51:42 2016 -0400

    index tests

commit 64be554
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Jun 18 17:43:10 2016 -0400

    refactoring

commit bfa7c29
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Jun 18 16:53:09 2016 -0400

    tag and category routes

commit e7f2c7d
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Jun 18 16:42:23 2016 -0400

    refactored categories

commit 0240635
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Jun 18 16:38:36 2016 -0400

    refactoring tags

commit c90be4f
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Jun 18 16:23:38 2016 -0400

    trivial

commit 8bb3bcc
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Jun 18 16:23:11 2016 -0400

    wip checkpoint

commit dc95b25
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Jun 18 13:23:55 2016 -0400

    async routes and tests

commit a48c146
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Jun 18 11:56:34 2016 -0400

    nits

commit dab2087
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Jun 18 11:55:38 2016 -0400

    refactoring async routes

commit 28d577f
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Jun 18 10:57:55 2016 -0400

    travis kludge

commit 3872d94
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Jun 18 10:57:26 2016 -0400

    travis kludge

commit 9fcbedc
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Jun 18 10:53:52 2016 -0400

    trivial

commit ee42298
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Jun 18 10:45:58 2016 -0400

    refactoring

commit bea01f3
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sat Jun 18 10:31:46 2016 -0400

    index refactoring

commit 6923d7a
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Fri Jun 17 22:59:49 2016 -0400

    bind params to wit on init

commit a45c33c
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Fri Jun 17 22:52:01 2016 -0400

    archive

commit 6f205f8
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Fri Jun 17 18:01:25 2016 -0400

    sitemap

commit 5c03344
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Fri Jun 17 17:24:06 2016 -0400

    Updated dependencies.

commit 3943f80
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Fri Jun 17 17:16:28 2016 -0400

    Updated .travis.yml for more environments

commit 2ab8897
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Fri Jun 17 17:13:32 2016 -0400

    fix to feed tests

commit a820ad5
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Fri Jun 17 16:53:08 2016 -0400

    Feed and tests

commit cb80ecc
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Fri Jun 17 15:52:34 2016 -0400

    tags

commit ae0becf
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Fri Jun 17 15:28:21 2016 -0400

    categories

commit 0bbebba
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Fri Jun 17 14:59:13 2016 -0400

    more tests

commit 65eb564
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Fri Jun 17 14:18:35 2016 -0400

    routes

commit c9db9a5
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Thu Jun 16 21:33:19 2016 -0400

    utilPaginate (and tests) improvements

commit ad818d0
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Thu Jun 16 21:31:02 2016 -0400

    utilPaginate (and tests) improvements

commit c5d85c4
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Thu Jun 16 21:23:03 2016 -0400

    utilPaginate (and tests) improvements

commit 9bdee6a
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Thu Jun 16 19:21:16 2016 -0400

    pagination refactor

commit 356b4d5
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Thu Jun 16 18:45:19 2016 -0400

    pagination

commit 51687b2
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Thu Jun 16 18:34:53 2016 -0400

    working

commit 8f7a277
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Tue Jun 7 17:22:53 2016 -0400

    tests, refactoring.

commit 22e3dd9
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Tue Jun 7 15:13:01 2016 -0400

    tests and refactoring

commit 66177b4
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Tue Jun 7 12:56:17 2016 -0400

    Tests

commit 949bb64
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Tue Jun 7 10:55:03 2016 -0400

    Improved isolation between tests.

commit 11a5354
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Tue Jun 7 10:51:13 2016 -0400

    Unit tests

commit 004b38c
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 6 22:55:38 2016 -0400

    misc

commit 348d094
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 6 22:05:23 2016 -0400

    refactoring and tests

commit bb61b13
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 6 21:34:10 2016 -0400

    Config refactoring

commit 3fc2154
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 6 18:52:36 2016 -0400

    Refactoring

    Renamed/moved some files and tests.

commit 67e0f55
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 6 18:39:50 2016 -0400

    refactoring

commit 3a9b8ba
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 6 18:15:15 2016 -0400

    refactoring

commit f75989b
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 6 16:42:33 2016 -0400

    refactoring.

commit c425bd6
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 6 16:24:07 2016 -0400

    tests; refactoring

commit 3631ff2
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 6 14:53:25 2016 -0400

    tests and refactoring.

commit 9791551
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 6 13:00:54 2016 -0400

    Beginning refactoring.

commit 665b5cc
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Mon Jun 6 12:36:03 2016 -0400

    Refactoring sort; sort tests.

commit 941eece
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sun Jun 5 20:35:16 2016 -0400

    Refactoring.

commit 1f05470
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sun Jun 5 20:07:29 2016 -0400

    Trivial

commit 7b63777
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sun Jun 5 19:35:03 2016 -0400

    Minor refactoring

commit 73a64ca
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sun Jun 5 19:32:08 2016 -0400

    Tests

    More tests!

commit 87bd35d
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sun Jun 5 19:07:36 2016 -0400

    More tests.

commit cb04841
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sun Jun 5 16:24:14 2016 -0400

    More tests

    More tests and refactoring.

commit 71ecdc7
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sun Jun 5 16:10:35 2016 -0400

    More tests

    More tests, more refactoring

commit e77310a
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sun Jun 5 15:56:17 2016 -0400

    Writing old tests

    - Did loadArchive.js
    - Also refactored the actual file

commit f40c9a1
Author: Chris Lane <chris@chris-allen-lane.com>
Date:   Sun Jun 5 13:10:45 2016 -0400

    Unit tests

    Stubbing out resources for new unit-tests.
d0fb42d
@markstos
markstos commented Jul 8, 2016

Besides the Remarkable project, there is also markdown-it. The description of this project says:

markdown-it is the result of the decision of the authors who contributed to 99% of the Remarkable code to move to a project with the same authorship but new leadership (Vitaly and Alex). It's not a fork.

The API for markdown-it looks very similar to Remarkable. I don't understand how it's Not a fork.

I have not tried Remarkable or markdown-it. Any comments on the differences are welcome. Other people are going to continue to end up at this pull request because it's referenced by a security notice:

https://nodesecurity.io/advisories/101

Since the best "fix" seems to be switching to a new project, it seems on-topic to discuss the best alternatives here.

@markstos
markstos commented Jul 8, 2016
@mvhenten
mvhenten commented Jul 8, 2016

@chjj responded to a call for maintainers #756

@timjrobinson

@matt- now that you're a maintainer can you merge / release this please :)

@matt-
Collaborator
matt- commented Jul 13, 2016

I would like to have someone else sign off on the PR (as I am the one that added it). Anyone?

@STRML
STRML commented Jul 13, 2016

Hang on, test 10 is failing:

#10. def_blocks.text failed at offset 20. Near: "<blockquote><p>hello</p><p><ahref="foo">1</a>:hell".


Got:
<blockquote><p>hello</p><p><ahref="foo">1</a>:hell


Expected:
<blockquote><p>hello[1]:hello</p></blockquote><hr>
@STRML
STRML commented Jul 13, 2016

Would be good to address #321, #474 first so we have test output in the PR.

@STRML
STRML commented Jul 13, 2016

Actually can confirm test 10 is failing on master, so it's not a regression. 👍 LGTM, did you want to address the semicolon concern in the line comment?

@rsp rsp add optional semicolon in html entities regex
and make non-capturing group out of (\w+) that was not used in the function
(only the entire surrounding group is used as a whole)
The semicolon is outside of the capturing group so the input to the
function is the same as before.
See this comment:
https://github.com/chjj/marked/pull/592/files/2cff859#r70888592
31c7799
@rsp rsp referenced this pull request in matt-/marked Jul 15, 2016
Merged

Optional semicolon in html entities regex #1

@matt- matt- Merge pull request #1 from rsp/fix/xss_html_entities_semicolon
Optional semicolon in html entities regex
0fa05b6
@matt-
Collaborator
matt- commented Jul 20, 2016

I think we are good on this one?

@maxbeatty maxbeatty referenced this pull request in jsperf/jsperf.com Jul 25, 2016
Closed

Upgrade marked #146

@rsp
Contributor
rsp commented Jul 28, 2016

Any plans to publish this patch on npm?
marked still triggers "SECURITY VULNERABILITIES IN DEPENDENCIES" warning for nodejs.org at https://david-dm.org/nodejs/nodejs.org

@STRML
STRML commented Jul 29, 2016

No reason to keep delaying on this, please merge @matt-

@matt- matt- merged commit fd0d1a2 into chjj:master Jul 29, 2016
@matt-
Collaborator
matt- commented Jul 29, 2016

I thought we were waiting for the test 10 is fail.

@STRML
STRML commented Jul 29, 2016

See #592 (comment)

Anyway, thanks for the merge!

@matt-
Collaborator
matt- commented Jul 29, 2016

Yep, that was my bad. Happy to finally get this in.

@rsp
Contributor
rsp commented Jul 29, 2016 edited

@matt- Can you npm version patch && npm publish yourself or does it still have to be done by @chjj? The version on npm is still 0.3.5 published 12 months ago: https://www.npmjs.com/package/marked

@matt-
Collaborator
matt- commented Jul 30, 2016

That is all @chjj

On Friday, July 29, 2016, Rafał Pocztarski notifications@github.com wrote:

@matt- https://github.com/matt- Can you npm version patch && npm publish
yourself or does it still have to be done by @chjj
https://github.com/chjj? The version of npm is still 0.3.5 published 12
months ago: https://www.npmjs.com/package/marked


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#592 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAbr4sQX5-C4C_BdSAvsUq5sjg32a6Tdks5qal1agaJpZM4Eg7pd
.

../matt

@chjj
Owner
chjj commented Jul 30, 2016

@matt-, published. Great work guys.

@kba kba added a commit to kba/codo that referenced this pull request Aug 30, 2016
@kba kba Set marked to >= 0.3.6 to mitigate chjj/marked#592 e73d39d
@kba kba added a commit to kba/codo that referenced this pull request Aug 30, 2016
@kba kba Update marked to >= 0.3.6 and sanitize input
To mitigate chjj/marked#592
57a8d40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment