Sanitization bypass using HTML Entities

Module: marked

Published: April 18th, 2016

Reported by: Matt Austin



Vulnerable: <=0.3.5
Patched: >=0.3.6


marked is an application that is meant to parse and compile markdown.

Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL.

This flaw exists because &#xNNanything; gets parsed to what it could and leaves the rest behind, resulting in just anything; being left.

For example:

If a malicious user could provide this input to the application javascript&#x58document;alert&#40;1&#41; resulting in a valid link, that when a user clicked it would execute alert(1).


Upgrade to version 0.3.6 or greater.


Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo