You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Sep 16, 2019. It is now read-only.
It is an expected behavior, and not unexpected XSS. JavaScript injection is allowed in the pre-released version because we have recognized the power user who want empowering to slide deck with scripting. See #29.
It's not big deal to just execute alert() script, and critical cases reported in CVE-2017-2239 are already fixed. If you found more serious attack, please mail details to security@marp.app. We would fix the reported vulnerability if we recognized that it has a potential risk.
NOTE: We cannot guarantee that are keeping to fix because the current Marp have already stopped maintenance long ago. In future version (Marp Next family: Marp CLI, Marp Web etc...), we have prevented DOM-based XSS by default. (marp-team/marp-core#9, marp-team/marp-core#26)
I'm using v 0.0.14 of MARP and writing some docs about XSS.
when writing it, I notice that the Preview panel is executing some king of XSS.
Example(try to put this on one document) and see the result :
The text was updated successfully, but these errors were encountered: