CVE-2018-1000162

Name of the Vulnerable Software and Affected Versions Parsedown versions prior to 1.7.0

Description The issue concerns a Cross Site Scripting (XSS) vulnerability in the setMarkupEscaped function for escaping HTML, which can result in JavaScript code execution. This can be exploited via specially crafted markdown that allows it to bypass HTML escaping by breaking Abstract Syntax Tree (AST) boundaries.

Recommendations For versions prior to 1.7.0, update to version 1.7.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of the setMarkupEscaped function until a patch is available. Avoid using specially crafted markdown that can break AST boundaries in the affected function until the issue is resolved.