GMS-2020-230: discord-html not escaping HTML code blocks when lacking a language identifier

February 24, 2020

Impact

Any website using discord-markdown with user-generated markdown is vulnerable to having code injected into the page where the markdown is displayed.

Patches

This has been patched

Workarounds

Escape the characters <>& before sending plain code blocks to discord-markdown.

References

https://github.com/brussell98/discord-markdown/issues/13

References

github.com/advisories/GHSA-9r27-994c-4xch
github.com/brussell98/discord-markdown/commit/7ce2eb66520815dcf5e97ef2bc8a2d5979da66e7
github.com/brussell98/discord-markdown/issues/13
github.com/brussell98/discord-markdown/security/advisories/GHSA-9r27-994c-4xch

Code Behaviors & Features

Detect and mitigate GMS-2020-230 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →