Markdown-it Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Markdown-it library, specifically in version 14.1.0. The issue arises in the fenced code block rendering functionality, where improper input sanitization allows for the execution of arbitrary JavaScript. This vulnerability is located in the file 'lib/renderer.mjs'.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious JavaScript that is executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, install Markdown-it version 14.1.0 and set up a server using Express.js. Create a test HTML file that triggers the vulnerability by sending a POST request to the '/api/render' endpoint with markdown content that includes a fenced code block. The injected JavaScript will be executed when the rendered markdown is viewed in a browser.