Rsp

**Name of the Vulnerable Software and Affected Versions** marked versions 0.3.5 and earlier **Description** The issue arises from the way marked parses input, specifically HTML entities, allowing for the bypass of content injection protection when `sanitize: true` is configured. This enables the injection of a `javascript:` URL. The flaw occurs because `&#xNNanything;` gets parsed, leaving behind any remaining characters, such as `anything;`. This can lead to cross-site scripting vulnerabilities in link components. For instance, a link URI like `javascript&#x58document;alert(1)` can render a valid link that executes `alert(1)` when clicked. **Recommendations** Update to version 0.3.6 or later. As a temporary workaround, consider disabling the `sanitize: true` configuration until a patch is available. Restrict access to link components to minimize the risk of exploitation. Avoid using HTML entities in link URIs until the issue is resolved.