The Vanessa219/vditor is a markdown editor supported by browsers. If the user passes javascript:alert(document.domain)
as the URL value when creating a link using the markdown syntax, there is no sanitizing process and the link is created as it is.
XSS PoC : [xss](javascript:alert(document.domain))
1. Open the https://ld246.com/guide/markdown
2. Enter the XSS PoC
3. Click the Link
Video : https://www.youtube.com/watch?v=5zzdiBivNSs
Through this vulnerability, an attacker is capable to execute malicious scripts.