From 922aed86aea88f41c4a513e6988d607409fedecb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tr=E1=BA=A7n=20B=C3=A1ch?=
 <45133811+barttran2k@users.noreply.github.com>
Date: Tue, 7 Apr 2026 18:07:56 +0700
Subject: [PATCH] fix(security): external scripts loaded without subresource
 integr
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `marked.min.js` and `marked-gfm-heading-id` libraries are loaded from `cdn.jsdelivr.net` without `integrity` attributes. If the CDN is compromised or serves tampered content (supply chain attack), malicious JavaScript could be injected and executed in visitors' browsers.

Affected files: index.html

Signed-off-by: Trần Bách <45133811+barttran2k@users.noreply.github.com>
---
 index.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/index.html b/index.html
index 5f90ae39..0521673f 100644
--- a/index.html
+++ b/index.html
@@ -35,10 +35,10 @@
 	<main></main>
 
 	<!-- JavaScript Library to Convert Markdown into HTML -->
-	<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
+	<script src="https://cdn.jsdelivr.net/npm/marked@15.0.7/marked.min.js" integrity="sha384-9jGynGSsLkHfSzGMqOA/gE6Dvxopm/kGIMXfiYYMOiMkjlMCqjBGhlT5HYXQFXU" crossorigin="anonymous"></script>
 
 	<!-- Marked plugin to add heading ID's -->
-	<script src="https://cdn.jsdelivr.net/npm/marked-gfm-heading-id/lib/index.umd.js"></script>
+	<script src="https://cdn.jsdelivr.net/npm/marked-gfm-heading-id@4.1.1/lib/index.umd.js" integrity="sha384-WMfwP/V+V0VYwCHBfBfgPC4F/kZ38TVrAlKHqbFMFr2PE4nFxvjG7xaFRbRTCKSS" crossorigin="anonymous"></script>
 
 	<script>
 		// Basic Settings