redcarpet <=3.2.2 (and related ruby gems) allow for possible XSS via autolinking of untrusted markdown

Open ktdreyer opened this issue 10 years ago • 0 comments

middleware depends on redcarpet 2.x. From middleware.gemspec:

  gem.add_development_dependency "redcarpet", "~> 2.1.0"

This version of redcarpet is very old and is vulnerable to cross-site scripting, as described in this blog post: http://danlec.com/blog/bug-in-sundown-and-redcarpet

Apr 12 '15 19:04 ktdreyer