Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)
Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments. For instance, ?text=<svg/onload=alert(1)> would trigger XSS here. const [text] = createResource(() => { return new URL(getRequestEvent().request.url).searchParams.get("text"); }); return ( <> Text: {text()} </> );