CVE-2016-10531

Name of the Vulnerable Software and Affected Versions marked versions 0.3.5 and earlier

Description The issue arises from the way marked parses input, specifically HTML entities, allowing for the bypass of content injection protection when sanitize: true is configured. This enables the injection of a javascript: URL. The flaw occurs because &#xNNanything; gets parsed, leaving behind any remaining characters, such as anything;. This can lead to cross-site scripting vulnerabilities in link components. For instance, a link URI like javascript&#x58document;alert(1) can render a valid link that executes alert(1) when clicked.

Recommendations Update to version 0.3.6 or later. As a temporary workaround, consider disabling the sanitize: true configuration until a patch is available. Restrict access to link components to minimize the risk of exploitation. Avoid using HTML entities in link URIs until the issue is resolved.