Restore A9 Insecure Components vulnerability

[rcowsill]

trafficstars

The A9: Insecure Components vulnerability tutorial refers to the use of an insecure version of the Marked library, making the memos page vulnerable to XSS.

It appears that the project was upgraded to use marked 0.3.9, which fixed this vulnerability. This means none of the example exploit strings in the tutorial result in a successful XSS attack.

I think the package.json needs to specify marked 0.3.5, as that is the last version with the XSS vulnerability.

Note that this is also relevant to PR #169, which currently specifies the 0.3.9 version instead of 0.3.5.

[ckarande]

@rcowsill Thanks for reporting the issue. 👍

You are right about it. Will will add it in our backlog. In case you have bandwidth, we will be happy to merge a PR with the required fix.

[rcowsill]

Would you want that PR from a feature branch in a fork of master?

[UlisesGascon]

Yes @rcowsill from and against feature/187 as we are implementing Lerna #187 (PR pending: #189)

[rcowsill]

As discussed in #206, I'm going to add a test to confirm this vulnerability is present and functioning as expected. PR for that to follow...

[rcowsill]

PR #208 containing the A9 test has been merged into feature/187. Should this issue be closed now, or should it be kept around until #187 is merged into master?

[lirantal]

ahh, I didn't even notice it's not PRed to the master branch @UlisesGascon can you advise?