Package: node-markdown-to-jsx / 7.2.0+dfsg-3

CVE-2024-21535.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Description: ensure src prop is sanitized
Author: Evan Jacobs <probablyup@gmail.com>
Origin: upstream, https://github.com/quantizor/markdown-to-jsx/commit/8eb74da8
Bug: https://security.snyk.io/vuln/SNYK-JS-MARKDOWNTOJSX-6258886
Bug-Debian: https://bugs.debian.org/1085375
Forwarded: not-needed
Applied-Upstream: 7.4.0, commit:8eb74da8
Reviewed-By: Yadd <yadd@debian.org>
Last-Update: 2025-04-13

--- a/index.tsx
+++ b/index.tsx
@@ -739,7 +739,7 @@
 
       return styles
     }, {})
-  } else if (key === 'href') {
+  } else if (key === 'href' || key === 'src') {
     return sanitizeUrl(value)
   } else if (value.match(INTERPOLATION_R)) {
     // return as a string and let the consumer decide what to do with it