VBScript Content Injectionmarked
Versions 0.3.2 and earlier of
marked are affected by a cross-site scripting vulnerability even when
sanitize:true is set.
Proof of Concept ( IE10 Compatibility Mode Only )
will get a link
<a href="vbscript:alert(1)">xss link</a>
Update to version 0.3.3 or later.
Have content suggestions? Send them to [email protected]
reportedInitial report by Xiao LongOct 17th, 2015
publishedAdvisory publishedJan 22nd, 2015