Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross-site Scripting (XSS) via URI #925

buglloc opened this issue Aug 15, 2017 · 5 comments


None yet
4 participants
Copy link

commented Aug 15, 2017

Browsers support both lowercase and uppercase x in hexadecimal form of HTML character entity (tested on Chromium && FF).
But marked unescape only lowercase:


function unescape(html) {
	// explicitly match decimal, hex, and named HTML entities 
  return html.replace(/&(#(?:\d+)|(?:#x[0-9A-Fa-f]+)|(?:\w+));?/g, function(_, n) {
    n = n.toLowerCase();
    if (n === 'colon') return ':';
    if (n.charAt(0) === '#') {
      return n.charAt(1) === 'x'
        ? String.fromCharCode(parseInt(n.substring(2), 16))
        : String.fromCharCode(+n.substring(1));
    return '';

This allow attacker to create link with javascript code.
For example, this code:

var marked = require('marked');
  renderer: new marked.Renderer(),
  sanitize: true

text = `
lower[click me](javascript:...)lower
upper[click me](javascript:...)upper


Will render:

upper<a href="javascript&#X3a;...">click me</a>upper</p>

Browser example:
Tested on Marked v0.3.6 + Chromium 60.0.3112.90 and Firefox 55.0.1


This comment has been minimized.

Copy link

commented Aug 29, 2017

You are right. this should should be a case-insensitive match:


unfortunately the maintainer is not longer around to push a change to npm. I will push a change to the master branch but unfortunately that may be as far as this change goes.


This comment has been minimized.

Copy link

commented Oct 25, 2017

Hi Matt -- did this issue ever result in a pull request? Thanks!


This comment has been minimized.

Copy link

commented Dec 1, 2017

See #937

@joshbruce joshbruce referenced this issue Dec 1, 2017


Release 0.3.7 #961

@matt- matt- reopened this Dec 4, 2017


This comment has been minimized.

Copy link

commented Dec 4, 2017

Just tested this and it is still an issue. Why was this closed? what tests were added?


This comment has been minimized.

Copy link

commented Dec 5, 2017

See #926

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.