GHSA-9r27-994c-4xch: 
JavaScript vulnerability analysis and mitigation

A high-severity vulnerability was identified in the discord-markdown npm package (GHSA-9r27-994c-4xch) affecting versions prior to 2.3.1. The vulnerability was discovered and disclosed on February 20, 2020, where code blocks without language identifiers were not properly escaping HTML content, potentially allowing arbitrary HTML injection (GitHub Advisory).

The vulnerability stems from the discord-markdown package's handling of code blocks that lack language identifiers. When processing these blocks, the package failed to properly sanitize HTML characters, allowing raw HTML to be rendered in the output. This issue specifically occurred in the HTML processing rules where code blocks without syntax highlighting were not passing through the sanitization function (GitHub Commit).

The vulnerability could allow attackers to inject arbitrary HTML code into websites that use discord-markdown to process user-generated markdown content. This creates a potential cross-site scripting (XSS) attack vector, where malicious users could execute unauthorized JavaScript or inject unwanted HTML content into the affected pages (GitHub Advisory).

The vulnerability was patched in version 2.3.1 of discord-markdown. For users unable to update immediately, a workaround is available by manually escaping the characters <, >, and & before sending plain code blocks to discord-markdown. Users are strongly encouraged to upgrade to version 2.3.1 or later to receive the security fix (GitHub Advisory).