CVE-2018-5773

Name of the Vulnerable Software and Affected Versions: markdown2 versions through 2.3.5

Description: The issue concerns a flaw in the safe mode feature of markdown2, which is intended to sanitize user input against XSS attacks. However, this feature does not properly escape input, allowing for the potential triggering of XSS with a crafted payload. This can be demonstrated by omitting the final > character from an IMG tag, showcasing the feature's inability to correctly handle such input.

Recommendations: For versions through 2.3.5, consider disabling the safe mode feature until a proper fix is available, as it does not provide the intended protection against XSS attacks. Additionally, restricting user input to prevent the inclusion of potentially malicious HTML tags, such as IMG tags without a closing >, can help minimize the risk of exploitation.