If you discover a security vulnerability in MarkdownViewer, please report it responsibly.
Do not open a public issue for security vulnerabilities.
Instead, please email: lsmola@github.com (replace with your preferred contact)
Or use GitHub's private vulnerability reporting.
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Potential impact
- Acknowledgment: within 48 hours
- Assessment: within 1 week
- Fix: depends on severity (critical: ASAP, others: next release)
MarkdownViewer is a read-only document viewer. It:
- Cannot modify files — read-only FileDocument
- Has no network access at runtime — all resources are bundled
- Sanitizes HTML via DOMPurify before rendering
- Restricts content loading via Content-Security-Policy
- Limits link navigation to http, https, and mailto schemes
- Runs Mermaid in strict mode — disables unsafe diagram features
| Version | Supported |
|---|---|
| latest | Yes |
JavaScript libraries are bundled at build time (not loaded at runtime):
| Library | Purpose | Security role |
|---|---|---|
| DOMPurify | HTML sanitization | Prevents XSS from markdown content |
| marked | Markdown parsing | Converts markdown to HTML |
| mermaid | Diagram rendering | Runs in strict security mode |
| github-markdown-css | Styling | CSS only, no code execution |