Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

输入iframe时会被执行,是设计如此还是问题呢 #3565

Open
CHENFANGC opened this issue Dec 23, 2024 · 1 comment
Open

输入iframe时会被执行,是设计如此还是问题呢 #3565

CHENFANGC opened this issue Dec 23, 2024 · 1 comment

Comments

@CHENFANGC
Copy link

Marked version:
all
Describe the bug
A clear and concise description of what the bug is.
demo https://marked.js.org/demo/?text=%3Ciframe%20src%3D%22javascript%3Aalert(%27Your%20user%20token%20is%3A%20%27%2BlocalStorage.getItem(%27userToken%27)%2B%27%20Cookies%3A%20%27%2Bdocument.cookie)%22%3ETrust%20No%20AI%3C%2Fiframe%3E&options=%7B%0A%20%22async%22%3A%20false%2C%0A%20%22breaks%22%3A%20false%2C%0A%20%22extensions%22%3A%20null%2C%0A%20%22gfm%22%3A%20true%2C%0A%20%22hooks%22%3A%20null%2C%0A%20%22pedantic%22%3A%20false%2C%0A%20%22silent%22%3A%20false%2C%0A%20%22tokenizer%22%3A%20null%2C%0A%20%22walkTokens%22%3A%20null%0A%7D&version=15.0.4

输入以下内容

<iframe src="javascript:alert('Your user token is: '+localStorage.getItem('userToken')+' Cookies: '+document.cookie)">Trust No AI</iframe> 输出结果是iframe被执行,期望结果是不被执行,以代码块儿形式展示

image

To Reproduce
Steps to reproduce the behavior:

Expected behavior
A clear and concise description of what you expected to happen.

@UziTech
Copy link
Member

UziTech commented Dec 23, 2024

This is expected, html is left alone according to the CommonMark spec

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants