Open l4wio opened 5 years ago
We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/
We will submit a pull request directly to your repository with the fix as soon as possible. Want to learn more? Go to https://github.com/418sec/huntr 📚
Automatically generated by @huntr-helper...
🛠️ A fix has been provided for this issue. Please reference: https://github.com/418sec/markdown-it-katex/pull/1
🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform.
Look at: https://github.com/waylonflinn/markdown-it-katex/blob/master/index.js#L168
Once the parser returns error, it would return
katex
without sanitizing as HTML tags.To trigger this
catch
block, you can easily put one more "%" character.Try it on live demo http://waylonflinn.github.io/markdown-it-katex/
$<img src=a onerror=alert(1)>$
, nothing happens$<img src=a onerror=alert(1)>%$
you can see the alert dialog.Consider this affects many real-world products.