Marked 0.3.2 and earlier is vulnerable to content injection even when
sanitize: true is enabled.
will get a link
<a href="vbscript:alert(1)">xss link</a>
This script does not work in IE 11 edge mode, but works in IE 10 compatibility view.
Source: Node Security Project
Upgrade to version 0.3.3 or greater.
Snyk patch available for versions:
- <=0.3.2 >=0.3.1