@tdurieux/anonymous_github Vulnerable to XSS via Unsanitized GitHub Repository Content Rendering in Anonymous GitHub Ori

Severity:: High

Description

Anonymous GitHub fetches repository content (e.g., markdown files) from GitHub’s API and renders it without sanitization. On the client side, markdown is parsed with marked (with sanitize: false) and injected into the DOM via $sce.trustAsHtml() + ng-bind-html, bypassing AngularJS’s built-in XSS protection.

Recommendation

Update the @tdurieux/anonymous_github package to the latest compatible version. Followings are version details:

Affected version(s): = 2.2.0
Patched version(s): 2.3.0

References

GHSA-g485-8j3v-p6x8
CWE-79
CWE-80
OWASP 2021-A3

Related Issues

Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering) - Vulnerability
DOMPurify is vulnerable to mutation-XSS via Re-Contextualization - Vulnerability
PDFME has XSS via Unsanitized i18n Label Injection into innerHTML in multiVariableText propPanel - Vulnerability
auth0-lock vulnerable to XSS via unsanitized placeholder property - CVE-2019-20174

How to Secure your NodeJs Express Javascript Application - part 1

These 7 PHP mistakes leave your website open to the hackers

How do hackers hack websites?

Tags:: npm; @tdurieux/anonymous_github

Anything's wrong? Let us know Last updated on May 05, 2026