@milkdown/preset-commonmark is vulnerable to Cross-Site Scripting (XSS)
54
Medium Risk
The commonmark link mark renders a stored href directly into a clickable anchor in linkSchema.toDOM (also carried into getHTML() output and read-only mode) without validating the URL scheme. An attacker who gets a javascript: or other unsafe-scheme URL stored in a link can cause script execution when the anchor is rendered or clicked. The fix adds a sanitizeLinkHref scheme allowlist (with control-character normalization) and applies it at the anchor rendering sink. The original URL is preserved inert as document text in the serialized markdown.
You are affected if you are using a version that falls within the vulnerable range and render markdown or HTML from untrusted or user-supplied sources with the commonmark link schema.
@milkdown/preset-commonmark is vulnerable to Cross-Site Scripting (XSS) in versions 7.0.0 - 7.21.2.
Upgrade the @milkdown/preset-commonmark library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant