Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
This affects all versions of package markdown-it-toc. The title of the generated toc and the contents of the header are not escaped.
Advisories for Npm/Markdown-It-Toc package
2022