EpicEditor Introduction
EpicEditor is an embeddable JavaScript Markdown editor with split fullscreen editing, live previewing, automatic draft saving, offline support, and more. For developers, it offers a robust API, can be easily themed, and allows you to swap out the bundled Markdown parser with anything you throw at it.
The project url:https://github.com/OscarGodson/EpicEditor
Causes of Vulnerability
EpicEditor uses marked.js(https://github.com/chjj/marked) to render the page, but does not filter the input tags, resulting in an XSS vulnerability.
TEST version
EpicEditor-0.2.2
Vulnerability reproduction
Create new test.html, reference edipeditor.js
And then visit test.html, in the editor,
<img src = 0 onerror = alert (1)>, click on the preview, the results as shown below
Bug fixes
marked.defaults = {
gfm: true,
tables: true,
breaks: false,
pedantic: false,
sanitize: false,
silent: false,
highlight: null
};
Set sanitize to true, or call marked.setOptions ({sanitize: true}) in the previous render;
BadCode 