Cross-site Scripting in Prism

Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Prism 跨站脚本漏洞

Prism是美国Prism个人开发者的一个应用软件。是一种轻量级的，可扩展的语法突出显示工具。 Prism 存在跨站脚本漏洞，该漏洞源于命令行插件没有正确地转义其输出，导致输入文本作为HTML代码插入到DOM中。Prism的服务器端使用不会受到影响。不使用命令行插件的网站也不会受到影响。

N/A

N/A