XSS vulnerability found in the lepture/editor markdown preview page

Hi, lepture/editor developer!

Currently, the markdown rendering page does not sanitize user input for scripts, which can lead to Cross-site Scripting (XSS) in the markdown preview page.

#### Payload
```
<img src=1 onerror="javascript:alert(document.domain)">
```

![tmp2](https://github.com/user-attachments/assets/5514a666-1e89-46c3-b318-2374e952593d)


#### Impact
Users of lepture/editor who open untrusted markdown files on the platform (i.e., http://lab.lepture.com/editor/) are vulnerable to XSS attacks.

Note that, since the project doesn't set the security policy, I directly report the vulnerability here.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

XSS vulnerability found in the lepture/editor markdown preview page #115

Payload

Impact

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

XSS vulnerability found in the lepture/editor markdown preview page #115

Description

Payload

Impact

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions