defuddle vulnerable to XSS via unescaped string interpolation in _findContentBySchemaText image tag
The _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping: html += <img src="${imageSrc}" alt="${imageAlt}">; An attacker can use a " in the alt attribute to break out of the attribute context and inject event handlers. This is a separate vulnerability from the sanitization bypass fixed in f154cb7 — the injection happens during string construction, not in the DOM, so _stripUnsafeElements cannot …