Closed ooooooo-q closed 3 years ago
Good find, thank you!
I'm thinking of tweaking it to escape everything inbetween the {}
instead, like it was done for the markdown-it-prism issue you linked, something like this (on line 52):
const cls = lang ? ` class="${options.langPrefix}${md.utils.escapeHtml(lang)}"` : ''
Do you think that would make sense as well?
Certainly. If can use escapeHtml
, it seems better.
:+1: the patch is live on 3.3.1, thanks again!
I found XSS in inline code highlighting.
Example
Results
Similar problem: https://github.com/jGleitz/markdown-it-prism/pull/137