### Description An attacker can induce Mark Text users to copy the HTML code below to execute a Remote Code Execution attack via XSS. ```html

``` The above code is inserted into the Mark Text as a DOM through the source code below, and the remote code execution is performed by calling child_process through the inline script. https://github.com/marktext/marktext/blob/b0299387a5f0b68c7656e2885ee5a520b9c41646/src/muya/lib/contentState/pasteCtrl.js#L44-L65 - [x] Can you reproduce the issue? ### Steps to reproduce 1. Copy the vulnerable HTML code - `

` 2. Paste it into Mark Text app **Expected behavior:** HTML should be sanitized before pasted into DOM. **Actual behavior:** No HTML sanitize procedure. Only checks if it's wrapped with `` or not. **Link to an example: [optional]** https://user-images.githubusercontent.com/3125044/152838590-accd8020-54de-4eae-9060-1b5a7613b4f4.mp4 https://user-images.githubusercontent.com/3125044/152840175-23769a99-8216-4bb4-8744-12ef27aa5a01.mp4 ### Versions - MarkText version: `v0.16.3` - Operating system: Windows 11 `Version 21H2 - OS Build 22000.469` Kali Linux `Kali GNU/Linux Rolling 2021.4`

Security issue: DOM based XSS & RCE - from pasting vulnerable HTML #2990

Company

Community

Support

Connect