CVE-2014-10065

Name of the Vulnerable Software and Affected Versions remarkable versions 1.4.0 and earlier

Description The issue allows certain input to bypass the bad protocol check, enabling javascript: URLs to be injected into the rendered content. This occurs due to improper whitelisting of link protocols in vulnerable versions, allowing the use of javascript:. For example, a markdown source like [link](javascript:alert(1)) can be rendered as <a href="javascript:alert(1)">link</a>, potentially leading to cross-site scripting.

Recommendations Update to version 1.4.1 or later. As a temporary workaround, consider restricting the use of user-provided links in remarkable until the issue is resolved. Avoid using the javascript: protocol in links to minimize the risk of exploitation.