CVE-2021-43827

Name of the Vulnerable Software and Affected Versions: discourse-footnote versions prior to 0.2

Description: The discourse-footnote library has an issue where posting an inline footnote wrapped in <a> tags results in a nested <a> in the rendered HTML, which is stripped by Nokogiri due to its invalidity. This causes a javascript error on topic pages because the code looks for an <a> element inside the footnote reference span to get its ID, but since it does not exist, a null reference error occurs in javascript.

Recommendations: For versions prior to 0.2, update to version 0.2 to resolve the issue. As a temporary workaround, consider editing offending posts from the rails console or the database console for self-hosters, or disabling the plugin in the admin panel to mitigate this issue.