markbind icon indicating copy to clipboard operation
markbind copied to clipboard
verified publisher icon MarkBind

Markdown-It Radio Button Plugin Crashes Due to Unsafe Token Access

Open gerteck opened this issue 3 months ago • 0 comments

Please confirm that you have searched existing issues in the repo

Yes, I have searched the existing issues

Any related issues?

No response

Tell us about your environment

Win 11

MarkBind version

v6.0.2

Describe the bug and the steps to reproduce it

The markdown-it-radio-button plugin crashes with TypeError: Cannot read properties of undefined (reading 'content') when processing most radio button syntax due to unsafe token array access.

E.g. Serving this markdown file:

<frontmatter>
  layout: default.md
  title: Hello World
  pageNav: 1
  pageNavTitle: "Chapters of This Page"
</frontmatter>

- ( ) Item 1
- ( ) Item 2
- (x) Item 3

Hello world

PS C:\Users\..\dev\mb-init> markbind serve 
  __  __                  _      ____    _               _ 
 |  \/  |   __ _   _ __  | | __ | __ )  (_)  _ __     __| |
 | |\/| |  / _` | | '__| | |/ / |  _ \  | | | '_ \   / _` |
 | |  | | | (_| | | |    |   <  | |_) | | | | | | | | (_| |
 |_|  |_|  \__,_| |_|    |_|\_\ |____/  |_| |_| |_|  \__,_|

 v6.0.2
info: Website generation started at 5:45:55 PM
info: Building assets...
info: Assets built
info: Generating pages...
error:  message=Cannot read properties of undefined (reading 'content'), stack=TypeError: Cannot read properties of undefined (reading 'content')
    at Array.<anonymous> (..\markbind\packages\core\src\lib\markdown-it\plugins\markdown-it-radio-button.js:24:45)
    at Core.process (..\markbind\node_modules\markdown-it\lib\parser_core.js:51:13)
    at MarkdownIt.parse (..\markbind\node_modules\markdown-it\lib\index.js:524:13)
    at MarkdownIt.render (..\markbind\node_modules\markdown-it\lib\index.js:544:36)
    at MarkdownProcessor.renderMd (..\markbind\packages\core\src\html\MarkdownProcessor.js:15:38)
    at ..\markbind\packages\core\src\html\NodeProcessor.js:391:64

Root Cause: The plugin attempts to access tokens[i-5].content and tokens[i-4].content without checking if those tokens exist (lines 24-26 in markdown-it-radio-button.js)

https://github.com/MarkBind/markbind/blob/b4348841d3ff5163c58e9ef703396b85664cb823/packages/core/src/lib/markdown-it/plugins/markdown-it-radio-button.js#L1-L118

Expected behavior

Radio button syntax should be processed without crashing, converting ( ) to radio input elements and (x)/(X) to checked radio inputs.

Anything else?

Found the bug when writing testcases in #2747 , if that has been merged, have added skipped testcases, in this PR, should also unskip the testcases and pass them to verify functionality

No response

gerteck avatar Sep 22 '25 09:09 gerteck