Kivikakk

Name of the Vulnerable Software and Affected Versions: comrak versions prior to 0.10.1 Description: An issue in the comrak crate for Rust mishandles & characters, leading to XSS via &# HTML entities. This occurs because ampersands were not being correctly escaped in link targets, making it possible to fashion unsafe URLs using schemes like `data:` or `javascript:` by entering them as HTML entities. Recommendations: For versions prior to 0.10.1, update to version 0.10.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of link targets with HTML entities to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** comrak crate versions prior to 0.9.1 **Description** An issue in the comrak crate allows cross-site scripting (XSS) to occur due to a case-sensitive protection mechanism for `data:` and `javascript:` URIs. This enables attackers to use variations like `Data:` to launch an attack. **Recommendations** For versions prior to 0.9.1, update to version 0.9.1 or later to resolve the issue. As a temporary workaround, consider implementing case-insensitive matching for unsafe URL prefixes, such as `data:` or `javascript:`, to prevent exploitation.