HTML Injection in preact
Versions of preact on prerelease tags alpha and beta are vulnerable to HTML Injection. Due to insufficient input validation the package allows attackers to inject JavaScript objects as virtual-dom nodes, which may lead to Cross-Site Scripting. This requires user input parsed with JSON.parse() to be passed directly into JSX without sanitization. Upgrade to .