Versions 1.4.0 and earlier of remarkable are affected by a cross-site scripting vulnerability. This occurs because vulnerable versions of remarkable did not properly whitelist link protocols, and consequently allowed javascript: to be used.

Proof of Concept

Markdown Source:

[link](<javascript:alert(1)>)

Rendered HTML:

<a href="javascript:alert(1)">link</a>

Recommendation

Update to version 1.4.1 or later

References

• jonschlinkert/remarkable#97
• https://www.npmjs.com/advisories/30
• https://nvd.nist.gov/vuln/detail/CVE-2014-10065
• jonschlinkert/remarkable@d54ed88