markdown-it-highlightjs@3.0.0 vulnerabilities

Preset to use highlight.js with markdown-it.

Direct Vulnerabilities

Known vulnerabilities in the markdown-it-highlightjs package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

markdown-it-highlightjs is a Preset to use highlight.js with markdown-it.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature.

const markdownItHighlightjs = require("markdown-it-highlightjs");
const md = require('markdown-it');

const reuslt_xss = md()
.use(markdownItHighlightjs, { inline: true })
.render('`console.log(42)`{.">js}');

console.log(reuslt_xss);

How to fix Cross-site Scripting (XSS)?

Upgrade markdown-it-highlightjs to version 3.3.1 or higher.

<3.3.1