XSS when parsing math expression

[l4wio]

Look at: https://github.com/waylonflinn/markdown-it-katex/blob/master/index.js#L168

Once the parser returns error, it would return katex without sanitizing as HTML tags.

To trigger this catch block, you can easily put one more "%" character.

Try it on live demo http://waylonflinn.github.io/markdown-it-katex/

1. Input the data as $<img src=a onerror=alert(1)>$ , nothing happens
2. Try $<img src=a onerror=alert(1)>%$ you can see the alert dialog.

Consider this affects many real-world products.

[huntr-helper]

Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/

We will submit a pull request directly to your repository with the fix as soon as possible. Want to learn more? Go to https://github.com/418sec/huntr 📚

Automatically generated by @huntr-helper...

[huntr-helper]

‎‍🛠️ A fix has been provided for this issue. Please reference: 418sec#1

🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform.