The Markdown preview feature has an XSS vulnerability

[DLighTer]

An attacker can construct Markdown content containing the following payload: XSS After uploading, when users click on this link in the preview interface, it can lead to a cross-site scripting (XSS) vulnerability, which has been reproduced in the official demo. The risk of this vulnerability is relatively low, as it requires user interaction to trigger. Below is a screenshot:

[gaoxingzaq]

建议 你们启用安全域名来实现这块 md,svg这种文件都是直接渲染的 不是很好处理

I suggest that you enable secure domain names to implement this MD, as files like SVG are directly rendered and not very easy to handle