Marko Cross-Site Scripting Vulnerability via Case-Insensitive Tag Breakout

A cross-site scripting vulnerability has been identified in Marko versions prior to 5.38.36 and @marko/runtime-tags versions prior to 6.0.164. The issue arises when dynamic text is interpolated into <script> or <style> tags. The Marko runtime fails to properly sanitize the input, allowing an attacker to break out of the tag using non-lowercase closing tags, such as </SCRIPT> or </Style>. This could lead to the injection of arbitrary HTML or JavaScript. The vulnerability is present in any Marko template that interpolates untrusted data into <script> or <style> blocks, especially if the data comes from user input that is later rendered in these tags.

Impact

Exploitation of this vulnerability allows for cross-site scripting, with the potential for stored XSS if the injected script comes from persisted user input.

Reproduction

To reproduce this vulnerability, interpolate untrusted data into a <script> or <style> tag in a Marko template. Ensure the data includes a mixed-case closing tag, such as </SCRIPT> or </Style>. When the template is rendered, the browser will parse the mixed-case tag as a valid closing tag, terminating the script or style context and executing any injected JavaScript.

Remediation

Users should upgrade to Marko version 5.38.36 or @marko/runtime-tags version 6.0.164. As a temporary workaround, untrusted data can be pre-sanitized to remove any closing tag references before interpolation, or avoid using direct interpolation in <script> or <style> tags altogether.