Falkoschindler

**Name of the Vulnerable Software and Affected Versions** NiceGUI versions prior to 3.7.0 **Description** The `ui.markdown()` component in NiceGUI does not sanitize user-controlled markdown content before rendering it as HTML via `innerHTML`. This allows attackers to inject malicious HTML, including JavaScript event handlers, leading to potential Cross-Site Scripting (XSS) attacks. Unlike other NiceGUI components that render HTML, `ui.markdown()` lacks a `sanitize` parameter, increasing the risk. An attacker could exploit this by providing crafted input through the `ui.markdown()` function. The proof of concept demonstrates that an attacker can execute JavaScript code when a page loads by injecting a malicious image tag with an `onerror` event handler. Successful exploitation could allow an attacker to steal session cookies, perform actions on behalf of the user, redirect users to malicious sites, or modify page content. The component uses the `markdown2` library to convert markdown content to HTML. **Recommendations** Versions prior to 3.7.0 should be updated to version 3.7.0 or later. As a temporary workaround, do not pass untrusted content directly to `ui.markdown()`. Instead, use one of the following approaches: Option 1: Convert and sanitize manually using `ui.html()`. Option 2: Escape HTML before markdown conversion if raw HTML is not needed.