XSS vulnerability when katex fails to render

[paulocsanz]

Hey, I was trying to reimplement this library without Vue for the browser and saw that this depends on markdown-it-katex, which is a library (abandoned a long time ago), you can see in this issue that there are a bunch of forks because it's abandoned.

And there lies a XSS vulnerability. It happens when there is a syntax error in the Latex, the text is just dumped as HTML without escaping.

This can't be reproduced by the live demo because it's on a old branch with code that does not implement katex, so we actively run a different code in production than the one we can test live here.

But in the original issue there is a proof of concept.

Also by default this library sets html input to true, which can take people by surprise. Markdown is heavily used to format content while avoiding XSS vulnerabilities, being unsafe by default is not a good idea.

Apparently changing import katex from 'markdown-it-katex' to import katex from '@iktakahiro/markdown-it-katex' fixes it. Using this fork https://github.com/iktakahiro/markdown-it-katex

There also is a vue-markdown fork trying to fix this problem, it doesn't seem to support everything and I can't attest it works, but some work has been done #92.

[th0rgall]

This issue now also appears as a warning when running npm audit, see the npm advisory: https://www.npmjs.com/advisories/1466

Installing the Akirami fork https://github.com/Akirami/vue-markdown-v2 mentioned above (#92) resolved it for me.

[Splinter0]

This is still an issue for me, when I do a fresh install of vue-markdown it automatically uses markdown-it-katex "^2.0.3" which is still vulnerable