simditor is vulnerable to cross-site scripting (XSS). The attack can be triggered because it does not sanitize the DOM object properly, allowing an attacker to inject arbitrary Javascript within a malicious SVG element into a victim’s browser via the onload
parameter.