🧨 Markdown Injection: XSS via marked
This demo renders Markdown using a vulnerable version of marked@0.3.6
without sanitization — making it susceptible to JavaScript injection.
🧪 How to Test
- Modify the Markdown or leave it as-is.
- Click Render Markdown.
- Observe that HTML is rendered and includes a clickable JS alert.
- This shows how an attacker can execute arbitrary JavaScript.
⚠️ Always sanitize Markdown output or upgrade to a secure version of marked
.