marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time.
Affected versions of this package are vulnerable to VBScript Content Injection.
will get a link
<a href="vbscript:alert(1)">xss link</a>
This script does not work in IE 11 edge mode, but works in IE 10 compatibility view.
marked to version 0.3.3 or higher.
Snyk patch available for versions:
- <=0.3.2 >=0.3.1