marko is vulnerable to Cross-Site Scripting (XSS)
61
Medium Risk
The default HTMLRenderer converts Markdown links and images through escape_url, which HTML-escapes and percent-encodes destinations but previously left dangerous URI schemes such as javascript:, vbscript:, and data: intact. Untrusted Markdown like [click](javascript:alert(1)) therefore rendered to HTML with executable link targets in the browser. Applications that display user-authored Markdown without a separate HTML sanitizer could expose stored or reflected cross-site scripting when victims interact with the link. The fix detects harmful schemes case-insensitively and replaces them with the safe placeholder #harmful-link.
You are affected if you are using a version that falls within the vulnerable range.
marko is vulnerable to Cross-Site Scripting (XSS) in versions 0.1.0 - 2.2.2.
Upgrade the marko library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant