showdown@2.0.0-alpha

A Markdown to HTML converter written in Javascript

  • latest version

    2.1.0

  • first published

    15 years ago

  • latest version published

    4 years ago

  • licenses detected

    • >=2.0.0-alpha
  • Direct Vulnerabilities

    Known vulnerabilities in the showdown package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Cross-site Scripting (XSS)

    showdown is a JavaScript Markdown to HTML converter.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the parseHeaders function. An attacker can execute arbitrary scripts in the context of users viewing rendered markdown by injecting specially crafted table header content containing double-quote characters, which are not properly escaped in the table header ID attribute. This can lead to the execution of malicious HTML or SVG elements when untrusted markdown is rendered with the default configuration.

    How to fix Cross-site Scripting (XSS)?

    A fix was pushed into the master branch but not yet published.

    *
    • M
    Cross-site Scripting (XSS)

    showdown is a JavaScript Markdown to HTML converter.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in metadata title handling, which inserts markdown frontmatter metadata into the HTML <title> element without escaping the less-than and greater-than characters. An attacker can inject arbitrary HTML and execute JavaScript in the rendered page by placing < and > characters in frontmatter metadata to break out of the title context. Exploitation applies only when the non-default completeHTMLDocument option is enabled and the application renders attacker-influenced markdown.

    How to fix Cross-site Scripting (XSS)?

    A fix was pushed into the master branch but not yet published.

    *
    • M
    Regular Expression Denial of Service (ReDoS)

    showdown is a JavaScript Markdown to HTML converter.

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the anchors subparser in anchors.js (AKA links.js).

    How to fix Regular Expression Denial of Service (ReDoS)?

    A fix was pushed into the master branch but not yet published.

    *