CVE-2025-27109: Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)

Inserts/JSX expressions inside illegal inlined JSX fragments lacked escaping, allowing user input to be rendered as HTML when put directly inside JSX fragments.

For instance, ?text=<svg/onload=alert(1)> would trigger XSS here.

const [text] = createResource(() => {
return new URL(getRequestEvent().request.url).searchParams.get("text");
});

return (
<>
Text: {text()}
</>
);