Master XSS markdown renderer fix

securityINSANESECURITY DEBUGGING

Master XSS markdown renderer fix

Insane Security Basics arena: HTML sanitization, safe links, script stripping, and regression payloads

XP reward

940

Coins

Target time

91m

Mission locked

Missing prerequisites: security-easy-xss-markdown-renderer

A profile bio renderer supports markdown, but a report shows JavaScript executing inside preview cards. You are working inside a secure engineering review room, and the arena only clears when the result is safe, deterministic, and explainable.

Learning objective

Learn to apply HTML sanitization, safe links, script stripping, and regression payloads in a secure engineering review room while explaining the invariant, safety constraints, and hidden edge cases.

Mission order

Markdown includes links, images, inline HTML, code fences, and crafted event-handler attributes. Prove your approach, handle adversarial inputs, and leave the solution maintainable. Submit the solution plus enough reasoning to pass hidden edge cases.

Visible checks

reproduces the reported failure

Expected: minimal failing case

adds a regression test

Expected: test fails before fix

Clear requirements

Demonstrates HTML sanitization, safe links, script stripping, and regression payloads
Handles the visible sample and hidden edge cases
Keeps output deterministic and explainable
Avoids unsafe dynamic execution

Secure validation contract

Judge type

SECURITY DEBUGGING

Complexity target

Minimal reproduction, source-cause fix, and regression test

Workspace

Code editor

locked

Clear the route first

You can read the mission brief, but the editor, hints, tests, and submit flow stay locked until progression or plan access catches up.

Enter Immersive

Test Results

Run the visible checks when your first pass is ready.

Clear Protocol

1Read the scenario and restate the expected output shape.

2Run visible checks before chasing hidden edge cases.

3Use Genie for one nudge if stuck, then explain the invariant.

4Submit only when the result is deterministic and safe.

Rewards

940

Coins

Mission Route

Previous Next

Back to catalog

Hints

Hints are metered and logged for No Hint Hero runs.

Genie Mentor Core

Hint protocol / contextual guardrails active

Progressive hints

Failed-test aware

Solution guarded

Mission: security-insane-xss-markdown-renderer0 attempts0 failed tests0 hints used

Progressive hint depth

Genie: Genie online. I use your mission, attempts, failed tests, hints, and path context to coach the next rep without dumping answers first.

Related Missions

Master JWT algorithm confusion audit

INSANE / 930 XP

Master SSRF URL filter repair

INSANE / 935 XP

Master RBAC admin leak closure

INSANE / 945 XP

Master secret redaction in logs

INSANE / 950 XP

Master CSRF state token review

INSANE / 955 XP

securityINSANESECURITY DEBUGGING