XSS to RCE vulnerability in Mermaid rendered #2946
Labels
🪲 pri/major
Bugs will affect your normal use of Mark Text, causing you unwilling or unable to continue using MT
🐛 bug
Something isn't working
Description
According to #2504 , it will add a closing element at the end, which means it tries to parse it as HTML.
Steps to reproduce
Insert the following code into a markdown page:
(Remove the
\in the last line.)Expected behavior:
Language input for the fenced code block should be sanitized before being rendered.
Actual behavior:
Versions
The text was updated successfully, but these errors were encountered: