mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-02-13 21:18:11 +01:00

Files

github-actions[bot] 9279d5f03b Assigned RUSTSEC-2021-0063 to comrak (#903 )

Co-authored-by: Shnatsel <Shnatsel@users.noreply.github.com>

2021-05-04 10:46:29 +02:00

927 B

Raw Blame History

[advisory]
id = "RUSTSEC-2021-0063"
package = "comrak"
date = "2021-05-04"
url = "https://github.com/kivikakk/comrak/releases/tag/0.10.1"
categories = ["format-injection"]
keywords = ["xss"]

[versions]
patched = [">= 0.10.1"]

XSS in `comrak`

comrak operates by default in a "safe" mode of operation where unsafe content, such as arbitrary raw HTML or URLs with non-standard schemes, are not permitted in the output. This is per the reference GFM implementation, cmark-gfm.

Ampersands were not being correctly escaped in link targets, making it possible to fashion unsafe URLs using schemes like data: or javascript: by entering them as HTML entities, e.g. &#x64&#x61&#x74&#x61&#x3a. The intended behaviour, demonstrated upstream, is that these should be escaped and therefore harmless, but this behaviour was broken in comrak.

927 B Raw Blame History

XSS in comrak

927 B

Raw Blame History

XSS in `comrak`