VBScript Content Injection
Versions 0.3.2 and earlier of
marked are affected by a cross-site scripting vulnerability even when
sanitize:true is set.
Proof of Concept ( IE10 Compatibility Mode Only )
will get a link
<a href="vbscript:alert(1)">xss link</a>
Update to version 0.3.3 or later.