Sharp user-provided input can be evaluated in a SharpShowTextField with Vue template syntax
A Cross-Site Scripting (XSS) vulnerability was discovered in code16/sharp when rendering content using the SharpShowTextField component. In affected versions, expressions wrapped in {{ & }} were evaluated by Vue. This allowed attackers to inject arbitrary JavaScript or HTML that executes in the browser when the field is displayed. For example, if a field’s value contains {{ Math.random() }}, it will be executed instead of being displayed as text.