XSS in preview panel

[SPoint42]

I'm using v 0.0.14 of MARP and writing some docs about XSS.

when writing it, I notice that the Preview panel is executing some king of XSS.

Example(try to put this on one document) and see the result :

# XSS1  #
<iframe src='#' onload='alert("XSS1")'></iframe>

[yhatt]

It is an expected behavior, and not unexpected XSS. JavaScript injection is allowed in the pre-released version because we have recognized the power user who want empowering to slide deck with scripting. See #29.

It's not big deal to just execute alert() script, and critical cases reported in CVE-2017-2239 are already fixed. If you found more serious attack, please mail details to security@marp.app. We would fix the reported vulnerability if we recognized that it has a potential risk.

---

NOTE: We cannot guarantee that are keeping to fix because the current Marp have already stopped maintenance long ago. In future version (Marp Next family: Marp CLI, Marp Web etc...), we have prevented DOM-based XSS by default. (marp-team/marp-core#9, marp-team/marp-core#26)