N/A

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

marked 跨站脚本漏洞

marked是美国Christopher Jeffrey软件开发者的一款使用JavaScript编写的Markdown解析器和编译器。 marked 0.3.5及之前版本中存在跨站脚本漏洞，该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。

N/A

N/A