I really hate that every markdown engine has its own flavor and I hope for a better standardization.
There is commonmark but it is lacking features like tables. https://commonmark.org/
Hopefully it doesn’t have any Remote Code Execution vulnerabilities, like Microslop’s implementation had.
How in the world did they manage that? Did they implement it internally as a TCP API and expose it?
I don’t know the technicalities, but Markdown supports links, and it’s possible to craft a link that downloads a file and then executes it. You can look up the Notepad.exe RCE vulnerability from this year.
Basically Notepad would pass the link to ShellEx and could launch executables.
They probably vibe coded it, and only copilot reviewed and merged the code.
It was like:
Hey Copilot, add Markdown support in Word
Sure thing Satya! There you have it, I made sure not to add any vulnerabilities like you always tell me.
