OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-02-02 06:51:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #774 from mrtc0/report-comrak-xss

Browse Source 
Add advisory on comrak XSS
This commit is contained in:
Sergey "Shnatsel" Davidoff
2021-02-21 03:44:25 +01:00
committed by GitHub
parent 631d33d446 3aada4c4d8
commit 56d96909f8
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
crates/comrak/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,17 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "comrak"
date = "2021-02-21"
url = "https://github.com/kivikakk/comrak/releases/tag/0.9.1"
categories = ["format-injection"]
keywords = ["xss"]
[versions]
patched = [">= 0.9.1"]
```
# XSS in `comrak`
The [comrak](https://github.com/kivikakk/comrak) we were matching unsafe URL prefixes, such as `data:` or `javascript:` , in a case-sensitive manner. This meant prefixes like `Data:` were untouched.