GMS-2016-24: Sanitization bypass using HTML Entities

April 18, 2016

Due to the way that marked parses input, specifically HTML entities, it’s possible to bypass marked’s content injection protection (sanitize: true) to inject a javascript: URL. This flaw exists because &#xNNanything; gets parsed to what it could and leaves the rest behind, resulting in just anything; being left.

References

github.com/chjj/marked/pull/592
github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523

Code Behaviors & Features

Detect and mitigate GMS-2016-24 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →