valeriangalliat
commented
3 years ago Hey!
We decided that escaping the special characters at the output level with md.utils.escapeHtml(lang) (https://github.com/valeriangalliat/markdown-it-highlightjs/blob/2c93df723559aee0b52fd77c5335ccdfd46101d9/core.js#L50) was a cleaner way to prevent the XSS vulnerability, so the original patch in the regex wasn't necessary anymore :)
If you agree that this is a solid mitigation, I'll let you close this issue, otherwise I would love to hear your thoughts on a better solution.
Cheers!
Hello,
I'm a security researcher at r2c. 👋 I am studying XSS vulnerabilities and happened across this PR addressing an XSS in your repo.
By pure luck, I noticed that the recent refactoring seems to have removed this patch. I'm not certain if this was intentional for some unknown reason; however, I wanted to bring it to your attention.
Hope this helps! Cheers.