Gno.land Ecosystem Patches Critical Markdown Injection Vulnerability (GHSA-q5xx-v955-c7vg)

A critical security vulnerability in the Gno.land blockchain ecosystem has been patched, preventing malicious actors from injecting phishing links into rendered markdown outputs. The flaw, tracked as GHSA-q5xx-v955-c7vg, resided in the `Render()` function, where user-supplied strings were not properly sanitized. This created a direct attack vector for phishing campaigns within the platform's user interface, specifically gnoweb.

The primary fix targeted the `p/nt/fqname/v0` package, where the `RenderLink()` function now escapes the `slug` parameter to neutralize injection attempts. Additionally, the `p/moul/md` package was updated with a new `EscapeURL()` function that converts potentially dangerous parentheses (`)`) into their URL-encoded equivalent (`%29`). Core functions like `Link()`, `Image()`, `UserLink()`, and `InlineImageWithLink()` now apply this escaping by default, making their use inherently safe. Several key repositories, including `r/demo/defi/grc20reg`, `r/gov/dao/v3/impl`, and `r/nt/commondao/v0`, have been updated to use these secure markdown helpers instead of raw string formatting.

The vulnerability could have been exploited by a malicious realm registering a GRC20 token with a crafted slug—such as `) [Claim Airdrop](https://evil.com`—which would break out of the intended markdown link syntax and render a deceptive, clickable phishing link to unsuspecting users. The coordinated patches across multiple core and application-level packages close this vector, significantly hardening the ecosystem's defense against social engineering attacks embedded within its own interfaces.