Description
In remarkable 1.7.1, lib/parser_inline.js mishandles URL filtering, which allows attackers to trigger XSS via unprintable characters, as demonstrated by a \x0ejavascript: URL.
Remediation
References
https://github.com/jonschlinkert/remarkable/issues/332
Related Vulnerabilities
CVE-2020-7707 Vulnerability in npm package property-expr
CVE-2021-23343 Vulnerability in npm package path-parse
CVE-2020-8137 Vulnerability in npm package uppy
CVE-2020-7754 Vulnerability in maven package org.webjars.npm:npm-user-validate
CVE-2023-33246 Vulnerability in maven package org.apache.rocketmq:rocketmq-controller