GMS-2020-370: HTML Injection in marky-markdown

September 3, 2020 (updated October 4, 2021)

All versions of marky-markdown are vulnerable to HTML Injection. The package fails to sanitize style attributes in img tags of the markdown input. This may allow attackers to affect the size of images in the rendered HTML. ## Recommendation

This package is no longer maintained. Please upgrade to @npmcorp/marky-markdown

References

github.com/advisories/GHSA-mg69-6j3m-jvgw
github.com/npm/marky-markdown
snyk.io/vuln/SNYK-JS-MARKYMARKDOWN-548871
www.npmjs.com/advisories/1470

Code Behaviors & Features

Detect and mitigate GMS-2020-370 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →