So an interesting thing about putting JavaScript in a website is that in order to be able to end a script, a </script>
must be able to close a <script>
tag. What this means is that you can never have a </script>
in JavaScript. I forgot about this, and that led to the possibility of injecting JavaScript into anywhere I was using marked via something like </script><script>//your evil code here</script>
.
The simple fix for this is to find any instance of </script>
, and replace it with </'+'script>
before passing it to marked.
In any case, I accidentally had this vulnerability since I switched to marked, and I've now fixed it. Fortunately, no one has exploited it, so I dodged a bullet there. As always, cyber security is about remaining vigilant. I haven't magically fixed everything, and no one ever can.
Edit: And when I originally posted this, I discovered another bug, fortunately this time not leading to an XSS vulnerability (as far as I know). I never escaped backslashes (you know, these: \) in here. That was leading to this post not even appearing!