mdex is vulnerable to Cross-site Scripting (XSS)
51
Medium Risk
mdex is vulnerable to cross-site scripting when converting Markdown to Quill Delta. MDEx.to_delta/2 passes link, wikilink, and image URLs straight from parsed Markdown into Delta link/image attributes with no scheme allowlist or normalization. An attacker who controls the Markdown can embed javascript: URLs (e.g. [click](javascript:alert(document.cookie))), which survive into the Delta and become a href> or img src> when a downstream renderer (quill-delta-to-html or the Quill client) turns it into HTML. Links and wikilinks are the main risk because javascript: in href runs on click; image URLs are lower impact since modern browsers usually block javascript: in img src>.
You are affected if you are using a version that falls within the vulnerable range.
mdex is vulnerable to Cross-site Scripting (XSS) in versions 0.8.3 - 0.13.1.
Upgrade the mdex library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant