Actually you could abuse this to open new tags (and trigger without a click)

text = `
<<svg///@x>
`;

<p><a href="mailto:<svg/>"alert(1)"//@x"><svg///@x</a></p>

or

text = `
<<script/@x>alert(1)//<</script/@x>
`;

<p><a href="mailto:<script/@x"><script/@x</a>alert(1)//<a href="mailto:</script/@x"></script/@x</a></p>

It looks like the "text" var at https://github.com/chjj/marked/blob/master/lib/marked.js#L581 should be escaped.

See #937 ??

I was able to reproduce this on master branch. Why was this closed? What tests closed out this issue? @joshbruce

Hey @matt- Good questions.

Thought it might be solving the same XSS issue that had already been merged in (from your PR #844). I don't know enough about the library yet (and I'm not an uber-JS person); so, I'm glad you stepped in.

Therefore, while I can help increase flow to publish updates to NPM, document things and establish visions and missions, I'm gonna have to leverage the community a lot to safeguard the codebase. Of course, that's if the community wants to do that. If not, then maybe the mission should be to help folks transition to something else.

Reopening. As a collaborator (I think you're a collaborator); do you have the ability to merge?

See also #956

Nice. I am super excited we have the ability to push. I will look / update some of this tonight. It was hard to be motivated to fix anything knowing it was not going to eve go out.

@matt- : Agreed and understandable. So far you are the only collaborator to step back in. @UziTech has also been helping out. Please, keep me posted on what y'all need from a release perspective. I've been doing what I can on the issues. Trying to close a page-worth a week...it's slow going through. Lots of issues.