devand
devand copied to clipboard
alepez
RUSTSEC-2021-0063: XSS in `comrak`
XSS in
comrak
| Details | |
|---|---|
| Package | comrak |
| Version | 0.7.0 |
| URL | https://github.com/kivikakk/comrak/releases/tag/0.10.1 |
| Date | 2021-05-04 |
| Patched versions | >=0.10.1 |
comrak operates by default in a "safe" mode of operation where unsafe content, such as arbitrary raw HTML or URLs with non-standard schemes, are not permitted in the output. This is per the reference GFM implementation, cmark-gfm.
Ampersands were not being correctly escaped in link targets, making it possible
to fashion unsafe URLs using schemes like data: or javascript: by entering
them as HTML entities, e.g. &#x64&#x61&#x74&#x61&#x3a. The intended
behaviour, demonstrated upstream, is that these should be escaped and therefore
harmless, but this behaviour was broken in comrak.
See advisory page for additional details.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}