Skip to content

discord-html not escaping HTML code blocks when lacking a language identifier

High severity GitHub Reviewed Published Feb 20, 2020 in brussell98/discord-markdown • Updated Jan 9, 2023

Package

npm discord-markdown (npm)

Affected versions

< 2.3.1

Patched versions

2.3.1

Description

Impact

Any website using discord-markdown with user-generated markdown is vulnerable to having code injected into the page where the markdown is displayed.

Patches

This has been patched in version 2.3.1

Workarounds

Escape the characters &lt;&gt;&amp; before sending plain code blocks to discord-markdown.

References

brussell98/discord-markdown#13

References

@brussell98 brussell98 published to brussell98/discord-markdown Feb 20, 2020
Reviewed Feb 21, 2020
Published to the GitHub Advisory Database Feb 24, 2020
Last updated Jan 9, 2023

Severity

High

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-9r27-994c-4xch

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.