Marked comes with an option to sanitize user output to help protect against content injection attacks. ... sanitize: true ... Even if this option is set, marked is vulnerable to content injection in multiple locations if untrusted user input is allowed to be provided into marked and that output is passed to the browser. Injection is possible in two locations - gfm codeblocks (language) - javascript url's External References: https://nodesecurity.io/advisories/marked_multiple_content_injection_vulnerabilities http://www.securityfocus.com/bid/67356 http://permalink.gmane.org/gmane.comp.security.oss.general/12787
Created marked tracking bugs for this issue: Affects: fedora-all [bug 1110215] Affects: epel-6 [bug 1110216]
This is already resolved by the 0.3.2 update on 2014-04-19.