comrak operates by default in a "safe"
mode of operation where unsafe content, such as arbitrary raw HTML or URLs with
non-standard schemes, are not permitted in the output. This is per the
reference GFM implementation, cmark-gfm.
Ampersands were not being correctly escaped in link targets, making it possible
to fashion unsafe URLs using schemes like data: or javascript: by entering
them as HTML entities, e.g. &#x64&#x61&#x74&#x61&#x3a. The intended
behaviour, demonstrated upstream, is that these should be escaped and therefore
harmless, but this behaviour was broken in comrak.
comrak
0.7.0
>=0.10.1
comrak operates by default in a "safe" mode of operation where unsafe content, such as arbitrary raw HTML or URLs with non-standard schemes, are not permitted in the output. This is per the reference GFM implementation, cmark-gfm.
Ampersands were not being correctly escaped in link targets, making it possible to fashion unsafe URLs using schemes like
data:
orjavascript:
by entering them as HTML entities, e.g.&#x64&#x61&#x74&#x61&#x3a
. The intended behaviour, demonstrated upstream, is that these should be escaped and therefore harmless, but this behaviour was broken in comrak.See advisory page for additional details.