greprules.io
Sign inSubmit rule
Explore/cve-2024-41662-markdown-it-missing-html-block-sanitization

CVE-2024-41662: Markdown It Missing Html Block Sanitization

Markdown-it is configured to override the `html_inline` renderer rule, but `html_block` is not being overridden. If `html_inline` is used to sanitize or filter XSS, failing to also sanitize `html_block` leaves the application vulnerable to XSS via block-level HTML tags (e.g., `<script>`, `<div>` with event handlers). Ensure `html_block` is sanitized alongsid

Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0javascript
greprules fetch cve-2024-41662-markdown-it-missing-html-block-sanitization --engine opengrep

Description

Markdown-it is configured to override the `html_inline` renderer rule, but `html_block` is not being overridden. If `html_inline` is used to sanitize or filter XSS, failing to also sanitize `html_block` leaves the application vulnerable to XSS via block-level HTML tags (e.g., `<script>`, `<div>` with event handlers). Ensure `html_block` is sanitized alongsid

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Trust signals
115 downloads0 direct115 via packs
· 0 stars · Trust score 69How trust works
Included packs
2 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark usefulReport false positiveSuggest metadata