[security-advisory] XSS issue in Quicklisp release 2024-10-12

Hi folks, this issue is just an advisory if you're using markup in your production code. There was an XSS issue where under certain circumstances, we didn't escape strings. This is fixed on the latest commit.

This only affect `,@(...)`. To the best of our knowledge, there's no escaping issues with `,(...)`.

In particular, in the old version the following will result in the alert message being shown.

```
(let ((val "<script>alert(1)</script>"))
      (markup:write-html
       <a>,@(list val)</a>)))

```

In the fixed version this will correctly render as: `<a>&lt;script&gt;alert(1)&lt;/script&gt;</a>`.


Consider using [quick-patch](https://github.com/tdrhq/quick-patch) to pull in the latest version of this project:

```
  (quick-patch:register "https://github.com/moderninterpreters/markup" "0d094d3cdefa6d714a3d094b7cddd02e944d64fd")
```



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[security-advisory] XSS issue in Quicklisp release 2024-10-12 #13

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[security-advisory] XSS issue in Quicklisp release 2024-10-12 #13

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions