vditor is vulnerable to cross-site scripting. The vulnerability exists because the library does not properly encode the double-quotes in the url, allowing an attacker to escape the href
attribute and inject and execute malicious javascript via the links using markdown syntax.