Describe the bug
A clear and concise description of what the bug is.
PrismJS DOM Clobbering vulnerability
Transitive dependency prismjs 1.27.0 is introduced via
react-native-code-highlighter 1.3.0 ... prismjs 1.27.0
react-syntax-highlighter 15.6.6 ... prismjs 1.27.0
Package
Affected versions
Patched version
prismjs
(npm)
< 1.30.0
1.30.0
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
To Reproduce
Steps to reproduce the behavior:
- Enable Dependabot security alerts
- See error
Expected behavior
A clear and concise description of what you expected to happen.
Project without vulnerabilities
Additional context
Add any other context about the problem here.
@a-ghorbani
Could you please fix it?
Thanks!
Describe the bug
A clear and concise description of what the bug is.
PrismJS DOM Clobbering vulnerability
Transitive dependency prismjs 1.27.0 is introduced via
react-native-code-highlighter 1.3.0 ... prismjs 1.27.0
react-syntax-highlighter 15.6.6 ... prismjs 1.27.0
Package
Affected versions
Patched version
prismjs
(npm)
< 1.30.0
1.30.0
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen.
Project without vulnerabilities
Additional context
Add any other context about the problem here.
@a-ghorbani
Could you please fix it?
Thanks!