You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
comrak operates by default in a "safe"
mode of operation where unsafe content, such as arbitrary raw HTML or URLs with
non-standard schemes, are not permitted in the output. This is per the
reference GFM implementation, cmark-gfm.
Ampersands were not being correctly escaped in link targets, making it possible
to fashion unsafe URLs using schemes like data: or javascript: by entering
them as HTML entities, e.g. &#x64&#x61&#x74&#x61&#x3a. The intended
behaviour, demonstrated upstream, is that these should be escaped and therefore
harmless, but this behaviour was broken in comrak.
comrak0.7.0>=0.10.1comrak operates by default in a "safe"
mode of operation where unsafe content, such as arbitrary raw HTML or URLs with
non-standard schemes, are not permitted in the output. This is per the
reference GFM implementation, cmark-gfm.
Ampersands were not being correctly escaped in link targets, making it possible
to fashion unsafe URLs using schemes like
data:orjavascript:by enteringthem as HTML entities, e.g.
&#x64&#x61&#x74&#x61&#x3a. The intendedbehaviour, demonstrated upstream, is that these should be escaped and therefore
harmless, but this behaviour was broken in comrak.
See advisory page for additional details.
The text was updated successfully, but these errors were encountered: