Home / Companies / Snyk / Blog / Post Details
Content Deep Dive

Fixing `marked` XSS vulnerability

Blog post from Snyk

Post Details
Company
Date Published
Author
Guy Podjarny
Word Count
1,081
Company Posts That Month
3
Language
English
Hacker News Points
2
Post removed?
No
Summary

The marked package is a popular Markdown parser that can be used to render user input into rich text, but it has an XSS vulnerability due to its support for inline HTML and tags. This allows attackers to inject malicious scripts through links or other means. The vulnerability can be mitigated by enabling the sanitize option in the package's settings, which removes dangerous input and encodes or removes it. However, even with sanitization, there are still potential vulnerabilities, such as the use of HTML entities that browsers do not enforce, allowing attackers to evade detection. A patch is available through Snyk's Wizard, but users can also consider using alternative Markdown packages until a new version of marked is released. The vulnerability was first reported in 2015, but only recently gained attention due to its potential impact on user security.

Trends Found in this Post

No tracked trend matches for this post yet.

Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.