CVE-2016-10531: Cross-site Scripting

May 31, 2018 (updated October 9, 2019)

Due to the way that marked parses input, specifically HTML entities, it’s possible to bypass marked’s content injection protection (sanitize: true) to inject a javascript: URL. This flaw exists because &#xNNanything; gets parsed to what it could and leaves the rest behind, resulting in just anything; being left.

References

github.com/chjj/marked/pull/592
nvd.nist.gov/vuln/detail/CVE-2016-10531

Code Behaviors & Features

Detect and mitigate CVE-2016-10531 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →