Cross-site Scripting (XSS)
Description
This affects the package markdown-it-highlightjs before 3.3.1. It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature. const markdownItHighlightjs = require("markdown-it-highlightjs"); const md = require('markdown-it'); const reuslt_xss = md() .use(markdownItHighlightjs, { inline: true }) .render('console.log(42){.">js}'); console.log(reuslt_xss);
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
markdown-it-highlightjsnpm | < 3.3.1 | 3.3.1 |
Affected products
2- markdown-it-highlightjs/markdown-it-highlightjsdescription
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization in the language specifier extraction allows an attacker to inject arbitrary HTML attributes and JavaScript event handlers."
Attack vector
An attacker can inject arbitrary JavaScript by supplying a crafted `lang` value in the inline code highlighting syntax. The markdown-it-highlightjs library before 3.3.1 does not sanitize the language specifier extracted from patterns like `` `code`{:.lang} ``. When the library renders the highlighted code, the unsanitized `lang` value is placed directly into a `class` attribute without escaping, enabling an attacker to break out of the attribute and inject event handlers such as `onerror` [ref_id=1]. This is a classic cross-site scripting (XSS) attack [CWE-79].
What the fix does
The patch tightens the regular expression that extracts the language specifier from `/[^}]+/` to `/[^}"'<>&]+/` [patch_id=6635259]. This change rejects any language string containing double quotes, single quotes, `<`, `>`, or `&` — characters that could be used to break out of an HTML attribute context. The accompanying test confirms that a payload like `".><img onerror=alert(1) src=.>` is now escaped rather than rendered as executable HTML. By preventing those characters from appearing in the `lang` value, the patch eliminates the XSS injection vector.
Preconditions
- configThe markdown-it-highlightjs library must be used with the `inline: true` option enabled.
- inputAn attacker must be able to supply markdown content that includes a crafted inline code language specifier (e.g. `` `code`{:.payload} ``).
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-f246-xrrj-g8j6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-7773ghsaADVISORY
- github.com/valeriangalliat/markdown-it-highlightjs/blob/v3.3.0/index.js%23L52ghsax_refsource_MISCWEB
- github.com/valeriangalliat/markdown-it-highlightjs/pull/14ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-MARKDOWNITHIGHLIGHTJS-1040461ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.