XSS vulnerability found in the Wechatsync markdown preview page

Hi, Wechatsync developer!

Currently, the markdown rendering page does not sanitize user input for scripts, which can lead to Cross-site Scripting (XSS) in the markdown preview page.

#### Payload
```
<img src=1 onerror="javascript:alert(document.domain)">
```

#### PoC
![tmp](https://github.com/user-attachments/assets/0003cac1-0a24-4674-8561-cd56d78e4263)


#### Impact

Users of Wecharsync who open untrusted markdown files on the platform (i.e., `https://www.wechatsync.com/md/`) are vulnerable to XSS attacks.

Note that, since the project doesn't set the security policy, I directly report the vulnerability here.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

XSS vulnerability found in the Wechatsync markdown preview page #118

Payload

PoC

Impact

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

XSS vulnerability found in the Wechatsync markdown preview page #118

Description

Payload

PoC

Impact

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions