dijit.Editor in Dojo Toolkit 1.13 allows XSS via the onload attribute of an SVG element.
dojotoolkit dojo 1.13.0