{"id":"RUSTSEC-2021-0063","summary":"XSS in `comrak`","details":"[comrak](https://github.com/kivikakk/comrak) operates by default in a \"safe\"\nmode of operation where unsafe content, such as arbitrary raw HTML or URLs with\nnon-standard schemes, are not permitted in the output.  This is per the\nreference GFM implementation, [cmark-gfm](https://github.com/github/cmark).\n\nAmpersands were not being correctly escaped in link targets, making it possible\nto fashion unsafe URLs using schemes like `data:` or `javascript:` by entering\nthem as HTML entities, e.g. `&#x64&#x61&#x74&#x61&#x3a`.  The intended\nbehaviour, demonstrated upstream, is that these should be escaped and therefore\nharmless, but this behaviour was broken in comrak.","aliases":["CVE-2021-38186","GHSA-6wj2-g87r-pm62"],"modified":"2023-11-08T04:06:25.615713Z","published":"2021-05-04T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/comrak"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0063.html"},{"type":"WEB","url":"https://github.com/kivikakk/comrak/releases/tag/0.10.1"}],"affected":[{"package":{"name":"comrak","ecosystem":"crates.io","purl":"pkg:cargo/comrak"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.10.1"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"arch":[],"os":[],"functions":[]}},"database_specific":{"cvss":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0063.json","categories":["format-injection"],"informational":null}}],"schema_version":"1.7.3"}