Share
## https://sploitus.com/exploit?id=F7611503-39EE-52FD-A93E-5E502AA8BD60
# Stored XSS in node-html-markdown โค 2.0.0
## Overview
This repository demonstrates a **Stored (Second-Order) Cross-Site Scripting (XSS)** vulnerability in the
[node-html-markdown](https://github.com/codex-team/node-html-markdown) library versions Click me
ff
### Vulnerable Code Location
- File: `src/config.ts`
- Lines: 254โ298
- Issue: `javascript:` and `data:` URLs in links and images are not sanitized before being output to Markdown/HTML.
| Component | File | Lines | Description |
| ----------------------------- | --------------- | ------- | ------------------------------------------------------------------------------------------------------------- |
| `` tag / autolink handling | `src/config.ts` | 254โ277 | The `href` attribute is encoded only for `()_*`; other schemes like `javascript:` pass through unsanitized. |
| Inline links | `src/config.ts` | 283โ284 | `href` directly embedded in Markdown output without filtering. |
| `` tag handling | `src/config.ts` | 292โ298 | `src` attribute allows `javascript:` and `data:text/html` (with `keepDataImages: true`) without sanitization. |